16341600x80000000000000001Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local2021-08-11 14:08:21.125c:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F 23542300x800000000000000042Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.380{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5290CAB8CB0B55074249F2C01D1DA95D,SHA256=E7FF4A3ACD88413A0977984B4667D3AE729EE11805F19B2AFCF1B5818E2C0C99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000041Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.302{856D1934-D932-6113-1300-00000000E401}10521512C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000040Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.302{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=ADFB43ED4706330C6DFE6D844C346CC7,SHA256=2E6559147AE579208CB39BD3F233EF1C600D8F5FA8F23E11EC42DDDD24B6E9B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000039Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.286{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000038Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.286{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000037Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.286{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000036Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.286{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000035Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.286{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000034Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.286{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000033Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.286{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000032Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.286{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000031Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.286{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000030Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:22.255{856D1934-D932-6113-1600-00000000E401}1300\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDERC:\Windows\System32\svchost.exe 10341000x800000000000000029Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.255{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.255{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000027Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.255{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000026Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.239{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000025Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.239{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000024Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.239{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000023Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.239{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000022Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.239{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.239{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000020Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.239{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000019Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.239{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000018Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.223{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000017Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.208{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000016Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.208{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000015Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.160{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D6-6113-AF02-00000000E401}4632C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000014Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.129{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9D6-6113-AF02-00000000E401}4632C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000013Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.129{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D6-6113-AF02-00000000E401}4632C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000012Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.136{856D1934-D9D6-6113-AF02-00000000E401}4632C:\Windows\System32\wbem\unsecapp.exe10.0.14393.4169 (rs1_release.210107-1130)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=2443CA5962E2134CB389DCD5056D27AE,SHA256=018FF62BCDC292CF9290DB0574C8EF9C97EBC26933C8FC950DD8E6B2B91972FB,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000011Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.066{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000010Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.066{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000009Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.051{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000008Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.051{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000007Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.051{856D1934-D92F-6113-0A00-00000000E401}604344C:\Windows\system32\services.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000006Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:22.051{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000005Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:21.156{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000004Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:21.156{856D1934-D92F-6113-0A00-00000000E401}604668C:\Windows\system32\services.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:21.142{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{856D1934-D92F-6113-0A00-00000000E401}604C:\Windows\System32\services.exeC:\Windows\system32\services.exe 434400x80000000000000002Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local2021-08-11 14:08:22.223Started13.014.50 23542300x8000000000000000106Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.808{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5290CAB8CB0B55074249F2C01D1DA95D,SHA256=E7FF4A3ACD88413A0977984B4667D3AE729EE11805F19B2AFCF1B5818E2C0C99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000105Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000104Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000103Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D9D7-6113-B102-00000000E401}42045064C:\Windows\system32\conhost.exe{856D1934-D9D7-6113-B302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000102Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000101Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000100Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000099Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000098Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000097Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000096Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000095Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000094Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000093Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000092Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9D7-6113-B302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000091Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.509{856D1934-D9D7-6113-B202-00000000E401}43564412C:\Windows\system32\cmd.exe{856D1934-D9D7-6113-B302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000090Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.513{856D1934-D9D7-6113-B302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9D7-6113-5DDD-0D0000000000}0xddd5d0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9D7-6113-B202-00000000E401}4356C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x800000000000000089Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.494{856D1934-D9D7-6113-B102-00000000E401}42045064C:\Windows\system32\conhost.exe{856D1934-D9D7-6113-B202-00000000E401}4356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000088Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.494{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000087Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.494{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000086Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.494{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000085Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.494{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000084Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.494{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000083Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.494{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000082Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.494{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000081Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.494{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000080Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.494{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000079Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.494{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9D7-6113-B202-00000000E401}4356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000078Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.494{856D1934-D9D7-6113-B002-00000000E401}42204188C:\Windows\system32\WinrsHost.exe{856D1934-D9D7-6113-B202-00000000E401}4356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x800000000000000077Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.495{856D1934-D9D7-6113-B202-00000000E401}4356C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9D7-6113-5DDD-0D0000000000}0xddd5d0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-D9D7-6113-B002-00000000E401}4220C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x800000000000000076Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.478{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000075Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.478{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000074Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.478{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000073Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.462{856D1934-D932-6113-1300-00000000E401}10521512C:\Windows\system32\svchost.exe{856D1934-D9D7-6113-B002-00000000E401}4220C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x800000000000000072Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.447{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D7-6113-B002-00000000E401}4220C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000071Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.431{856D1934-D9D7-6113-B102-00000000E401}42045064C:\Windows\system32\conhost.exe{856D1934-D9D7-6113-B002-00000000E401}4220C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000070Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9D7-6113-B102-00000000E401}4204C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000069Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000062Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9D7-6113-B002-00000000E401}4220C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D7-6113-B002-00000000E401}4220C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000058Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.392{856D1934-D9D7-6113-B002-00000000E401}4220C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-D9D7-6113-5DDD-0D0000000000}0xddd5d0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000057Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.384{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000054Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.211{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000053Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.211{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000052Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.211{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000051Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.196{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000050Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.196{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000049Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.196{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000048Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.164{856D1934-D9D3-6113-A302-00000000E401}4892ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000047Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.133{856D1934-D9D3-6113-A402-00000000E401}2388ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000046Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.102{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000045Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.086{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000044Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.086{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000043Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.086{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000122Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.984{856D1934-D9D7-6113-B302-00000000E401}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_xjwfun2y.hxb.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000121Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.984{856D1934-D9D7-6113-B302-00000000E401}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_sh1z5hbb.yjq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000120Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.093{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1-53192-true2001:0:2851:782c:24a0:226f:f5ff:fef1-445microsoft-ds 354300x8000000000000000119Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.093{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1-53192-true2001:0:2851:782c:24a0:226f:f5ff:fef1-445microsoft-ds 11241100x8000000000000000118Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.717{856D1934-D9D7-6113-B302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_sh1z5hbb.yjq.ps12021-08-11 14:08:24.717 10341000x8000000000000000117Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.702{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D7-6113-B302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000116Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.089{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53191-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000115Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.089{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53191-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000114Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.084{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1-53190-truefe80:0:0:0:24a0:226f:f5ff:fef1-445microsoft-ds 354300x8000000000000000113Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.083{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1-53190-truefe80:0:0:0:24a0:226f:f5ff:fef1-445microsoft-ds 354300x8000000000000000112Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.079{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53189-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000111Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.079{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53189-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x8000000000000000110Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.137{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000109Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.121{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000108Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.121{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000107Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.121{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000181Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.656{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53349- 354300x8000000000000000180Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.125{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53196-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000179Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.125{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53196-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000178Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.118{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53195-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000177Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.118{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53195-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000176Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.115{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53194-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000175Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.115{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53194-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000174Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.111{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53193-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000173Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:24.111{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53193-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000172Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.721{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:5400:0:9850:353d:dc1:ffff-58431-truee000:fc:1551:100:d86c:0:1651:100-5355llmnr 354300x8000000000000000171Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.721{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local58431-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000170Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.719{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-837.attackrange.local53777-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000169Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.719{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local59892- 354300x8000000000000000168Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.719{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local59892-true0:0:0:0:0:0:0:1win-dc-837.attackrange.local53domain 354300x8000000000000000167Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.329{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.91.53ppp-93-104-91-53.dynamic.mnet-online.de53859-false10.0.1.14win-dc-837.attackrange.local5986- 10341000x8000000000000000166Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.567{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000165Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.567{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000164Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.567{856D1934-D9D7-6113-B102-00000000E401}42045064C:\Windows\system32\conhost.exe{856D1934-D9D9-6113-B502-00000000E401}4864C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000163Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.567{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000162Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.567{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000161Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.567{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000160Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.567{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000159Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.567{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000158Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.567{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000157Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.567{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000156Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.567{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9D9-6113-B502-00000000E401}4864C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000155Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.567{856D1934-D9D9-6113-B402-00000000E401}44284848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{856D1934-D9D9-6113-B502-00000000E401}4864C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa557367(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f99cb480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f99cb0bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa4a2729(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f998802d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f99eba9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f99cdaae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f99cdaae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f99cd93f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f99be65f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f99cbba1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f99cb76e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f99cb480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f99cb0bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa4a2729(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f99b0366(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f99af8d8(wow64) 154100x8000000000000000154Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.572{856D1934-D9D9-6113-B502-00000000E401}4864C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9D7-6113-5DDD-0D0000000000}0xddd5d0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{856D1934-D9D9-6113-B402-00000000E401}4428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000153Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.517{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000152Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.517{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000151Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.517{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x8000000000000000150Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:23.083{856D1934-D932-6113-1000-00000000E401}388win-dc-837.attackrange.local0fe80::2c4f:6ce1:a648:a5dd;fe80::24a0:226f:f5ff:fef1;2001:0:2851:782c:24a0:226f:f5ff:fef1;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 10341000x8000000000000000149Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.455{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9D9-6113-B402-00000000E401}4428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000148Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.455{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9D9-6113-B402-00000000E401}4428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000147Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:25.408{856D1934-D9D9-6113-B402-00000000E401}4428\PSHost.132731645053384798.4428.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000146Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.392{856D1934-D9D9-6113-B402-00000000E401}4428ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lo1xdm11.og5.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000145Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.392{856D1934-D9D9-6113-B402-00000000E401}4428ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qrv4dhq5.qey.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000144Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.392{856D1934-D9D9-6113-B402-00000000E401}4428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qrv4dhq5.qey.ps12021-08-11 14:08:25.392 10341000x8000000000000000143Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.376{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D9-6113-B402-00000000E401}4428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000142Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.329{856D1934-D9D7-6113-B102-00000000E401}42045064C:\Windows\system32\conhost.exe{856D1934-D9D9-6113-B402-00000000E401}4428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000141Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.329{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000140Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.329{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000139Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.329{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000138Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.329{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000137Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.329{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000136Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.329{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000135Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.329{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000134Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.329{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9D9-6113-B402-00000000E401}4428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000133Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.329{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000132Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.329{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000131Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.329{856D1934-D9D7-6113-B302-00000000E401}43604444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{856D1934-D9D9-6113-B402-00000000E401}4428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fabe73d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b4f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b12d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fab3279b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa01809f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa07bb11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05db20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05db20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05d9b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa04e6d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05bc13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b7e0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b4f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b12d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fab3279b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa0403d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa03f94a(wow64) 154100x8000000000000000130Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.338{856D1934-D9D9-6113-B402-00000000E401}4428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9D7-6113-5DDD-0D0000000000}0xddd5d0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9D7-6113-B302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000129Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.251{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9D7-6113-B302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000128Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.251{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9D7-6113-B302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000127Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.157{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000126Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.157{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000125Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.157{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000124Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.157{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 17141700x8000000000000000123Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:25.000{856D1934-D9D7-6113-B302-00000000E401}4360\PSHost.132731645035131385.4360.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x8000000000000000239Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.797{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local49914- 354300x8000000000000000238Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.797{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local65418- 354300x8000000000000000237Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.797{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local62587- 354300x8000000000000000236Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.797{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local51093- 354300x8000000000000000235Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.719{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local62701- 23542300x8000000000000000234Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.709{856D1934-D9D9-6113-B402-00000000E401}4428ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\wxqr15kd.outMD5=429D97D42A439750008BDE3AB0DDDF8B,SHA256=0A38594335E868D9AEFB2B10FEDD7D7C0D595B6E3A3E50781FB2A9DE87795B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000233Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.709{856D1934-D9D9-6113-B402-00000000E401}4428ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\wxqr15kd.cmdlineMD5=576C8329AC974A2F73D56325E7DEF235,SHA256=4A7E29BA84953F96BBFEC4EE33A51D9269DC08DA9282F2BB178B507E3388ECDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000232Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.709{856D1934-D9D9-6113-B402-00000000E401}4428ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\wxqr15kd.pdbMD5=7D43A9FEC22CBC0BCF1D48831B038688,SHA256=85023E5E5330EB209FFBDFE92CD53B7C74E49BFB374ABCF04F069DB7DC71A69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000231Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.709{856D1934-D9D9-6113-B402-00000000E401}4428ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\wxqr15kd.dllMD5=A0062B66CAC1797D7E46F2C93BA5BB92,SHA256=7BC65DE433529C90AE3486AE44646669969750563A22191B1D3FFED1A0E77841,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000230Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.709{856D1934-D9D9-6113-B402-00000000E401}4428ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\wxqr15kd.0.csMD5=054C0A1487614BA970CB949FA443FFFB,SHA256=6B88C7F565FF6B5879B03F6F3622B596B63D0C76E3EC5751390A446AF187E21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000229Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.694{856D1934-D9DA-6113-B602-00000000E401}4320ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSCFD45715CCF8B4F318C52FFC9BC997D10.TMPMD5=D89CAB2621ACE3BDFF8C81B9CD631EB3,SHA256=7D950451643EE705430CEDC124EBBE489856804760B339F45B0AA5A8F897ABE4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000228Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:08:26.694{856D1934-D9DA-6113-B602-00000000E401}4320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\wxqr15kd.dll2021-08-11 14:08:26.537 23542300x8000000000000000227Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.694{856D1934-D9DA-6113-B602-00000000E401}4320ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\wxqr15kd.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000226Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.694{856D1934-D9DA-6113-B602-00000000E401}4320ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESBD89.tmpMD5=E71DD3964C24B655B05F566C958DE5EA,SHA256=E5F64F38DF6774704C214EAF02C248B532C23308E6A0F849252F06A5577F4D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000225Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.694{856D1934-D9DA-6113-B702-00000000E401}4272ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESBD89.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000224Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.694{856D1934-D9D7-6113-B102-00000000E401}42045064C:\Windows\system32\conhost.exe{856D1934-D9DA-6113-B702-00000000E401}4272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000223Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000222Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000221Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000220Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000219Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000218Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000217Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000216Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.678{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000215Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.678{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9DA-6113-B702-00000000E401}4272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000214Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.678{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000213Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.678{856D1934-D9DA-6113-B602-00000000E401}43204824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{856D1934-D9DA-6113-B702-00000000E401}4272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000212Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.691{856D1934-D9DA-6113-B702-00000000E401}4272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESBD89.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCFD45715CCF8B4F318C52FFC9BC997D10.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9D7-6113-5DDD-0D0000000000}0xddd5d0HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{856D1934-D9DA-6113-B602-00000000E401}4320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\wxqr15kd.cmdline" 10341000x8000000000000000211Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.568{856D1934-D9D7-6113-B102-00000000E401}42045064C:\Windows\system32\conhost.exe{856D1934-D9DA-6113-B602-00000000E401}4320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000210Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.568{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000209Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.568{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000208Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.568{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000207Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.568{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000206Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.568{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000205Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.568{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000204Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.568{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000203Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.568{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000202Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.568{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000201Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.568{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9DA-6113-B602-00000000E401}4320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000200Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.568{856D1934-D9D9-6113-B402-00000000E401}44284848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{856D1934-D9DA-6113-B602-00000000E401}4320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+7d88f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+7d836a|UNKNOWN(00007FF8A464C47F) 154100x8000000000000000199Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.540{856D1934-D9DA-6113-B602-00000000E401}4320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\wxqr15kd.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9D7-6113-5DDD-0D0000000000}0xddd5d0HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{856D1934-D9D9-6113-B402-00000000E401}4428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000198Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.537{856D1934-D9D9-6113-B402-00000000E401}4428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\wxqr15kd.cmdline2021-08-11 14:08:26.537 11241100x8000000000000000197Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:08:26.537{856D1934-D9D9-6113-B402-00000000E401}4428C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\wxqr15kd.dll2021-08-11 14:08:26.537 354300x8000000000000000196Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.154{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53200-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000195Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.154{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53200-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000194Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.150{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53199-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000193Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.150{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53199-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000192Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.146{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53198-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000191Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.146{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53198-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000190Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.141{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53197-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000189Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:25.141{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53197-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x8000000000000000188Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.396{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000187Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.396{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000186Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.380{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000185Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.192{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000184Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.192{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000183Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.192{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000182Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.192{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000353Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.917{856D1934-D9BC-6113-3B02-00000000E401}1500NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=F8A14EF16E2F14244F7C15B8095D0D7D,SHA256=55DF180C97CDF31EF6925C3BFC7DF68115C3E9A0C8197F39B528CAD7E8362C42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D9DB-6113-B902-00000000E401}38883508C:\Windows\system32\conhost.exe{856D1934-D9DB-6113-BD02-00000000E401}4692C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000351Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000350Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000349Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000348Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000347Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000346Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000345Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000344Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000343Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000342Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000341Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DB-6113-BD02-00000000E401}4692C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000340Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000339Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D9DB-6113-BC02-00000000E401}41804796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{856D1934-D9DB-6113-BD02-00000000E401}4692C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa7d73ab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c4b4c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c4b0ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa72276d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c08071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c6bae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c4daf2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c4daf2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c4d983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c3e6a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c4bbe5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c4b7b2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c4b4c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c4b0ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa72276d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c303aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f9c2f91c(wow64) 154100x8000000000000000338Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.709{856D1934-D9DB-6113-BD02-00000000E401}4692C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DB-6113-8E52-0E0000000000}0xe528e0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{856D1934-D9DB-6113-BC02-00000000E401}4180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000337Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.698{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000336Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.651{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9DB-6113-BC02-00000000E401}4180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000335Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.651{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9DB-6113-BC02-00000000E401}4180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000334Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:27.619{856D1934-D9DB-6113-BC02-00000000E401}4180\PSHost.132731645075583988.4180.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000333Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.604{856D1934-D9DB-6113-BC02-00000000E401}4180ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ujh5rep5.fs3.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000332Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.604{856D1934-D9DB-6113-BC02-00000000E401}4180ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gpcmfaky.rdi.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000331Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.604{856D1934-D9DB-6113-BC02-00000000E401}4180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gpcmfaky.rdi.ps12021-08-11 14:08:27.604 10341000x8000000000000000330Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.588{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9DB-6113-BC02-00000000E401}4180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000329Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.556{856D1934-D9DB-6113-B902-00000000E401}38883508C:\Windows\system32\conhost.exe{856D1934-D9DB-6113-BC02-00000000E401}4180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000328Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000327Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000326Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000325Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000324Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000323Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000322Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000321Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000320Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000319Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.556{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DB-6113-BC02-00000000E401}4180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000318Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.556{856D1934-D9DB-6113-BB02-00000000E401}37644652C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{856D1934-D9DB-6113-BC02-00000000E401}4180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f0384269|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef7f8382|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef7f7fbd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f02cf62b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef7b4f2f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef8189a1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef7fa9b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef7fa9b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef7fa841|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef7eb561|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef7f8aa3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef7f8670|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef7f8382|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef7f7fbd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+f02cf62b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef7dd268|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+ef7dc7da 154100x8000000000000000317Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.558{856D1934-D9DB-6113-BC02-00000000E401}4180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DB-6113-8E52-0E0000000000}0xe528e0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9DB-6113-BB02-00000000E401}3764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000316Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.494{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9DB-6113-BB02-00000000E401}3764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000315Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.494{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9DB-6113-BB02-00000000E401}3764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000314Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:27.478{856D1934-D9DB-6113-BB02-00000000E401}3764\PSHost.132731645074132100.3764.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000313Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.462{856D1934-D9DB-6113-BB02-00000000E401}3764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cfhiea2k.rc5.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000312Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.462{856D1934-D9DB-6113-BB02-00000000E401}3764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_aprfcbbj.ung.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000311Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.447{856D1934-D9DB-6113-BB02-00000000E401}3764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_aprfcbbj.ung.ps12021-08-11 14:08:27.447 10341000x8000000000000000310Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.431{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9DB-6113-BB02-00000000E401}3764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000309Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.415{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000308Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.415{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000307Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.415{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000306Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.415{856D1934-D9DB-6113-B902-00000000E401}38883508C:\Windows\system32\conhost.exe{856D1934-D9DB-6113-BB02-00000000E401}3764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000305Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000304Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000303Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000302Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000301Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000300Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000299Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000298Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000297Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000296Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DB-6113-BB02-00000000E401}3764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000295Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D9DB-6113-BA02-00000000E401}42521504C:\Windows\system32\cmd.exe{856D1934-D9DB-6113-BB02-00000000E401}3764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000294Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.413{856D1934-D9DB-6113-BB02-00000000E401}3764C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DB-6113-8E52-0E0000000000}0xe528e0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9DB-6113-BA02-00000000E401}4252C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000293Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D9DB-6113-B902-00000000E401}38883508C:\Windows\system32\conhost.exe{856D1934-D9DB-6113-BA02-00000000E401}4252C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000292Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000291Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000290Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000289Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000288Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000287Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000286Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000285Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000284Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000283Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DB-6113-BA02-00000000E401}4252C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000282Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D9DB-6113-B802-00000000E401}2580616C:\Windows\system32\WinrsHost.exe{856D1934-D9DB-6113-BA02-00000000E401}4252C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x8000000000000000281Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.407{856D1934-D9DB-6113-BA02-00000000E401}4252C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DB-6113-8E52-0E0000000000}0xe528e0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-D9DB-6113-B802-00000000E401}2580C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000280Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000279Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000278Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.400{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000277Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.384{856D1934-D932-6113-1300-00000000E401}10521792C:\Windows\system32\svchost.exe{856D1934-D9DB-6113-B802-00000000E401}2580C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000276Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.368{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9DB-6113-B802-00000000E401}2580C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000275Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.368{856D1934-D9DB-6113-B902-00000000E401}38883508C:\Windows\system32\conhost.exe{856D1934-D9DB-6113-B802-00000000E401}2580C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000274Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DB-6113-B902-00000000E401}3888C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000273Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000272Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000271Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000270Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000269Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000268Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000267Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000266Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000265Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000264Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9DB-6113-B802-00000000E401}2580C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000263Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9DB-6113-B802-00000000E401}2580C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000262Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.355{856D1934-D9DB-6113-B802-00000000E401}2580C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-D9DB-6113-8E52-0E0000000000}0xe528e0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000261Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000260Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.353{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000259Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.337{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000258Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.227{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000257Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.227{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000256Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.211{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000255Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.211{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000254Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.211{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000253Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.181{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53203-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000252Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.181{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53203-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000251Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.177{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53202-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000250Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.177{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53202-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000249Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.173{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53201-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000248Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.173{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53201-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x8000000000000000247Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.180{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000246Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.180{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000245Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.180{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000244Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.164{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000243Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.164{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000242Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.164{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000241Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.133{856D1934-D9D7-6113-B302-00000000E401}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000240Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.086{856D1934-D9D9-6113-B402-00000000E401}4428ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000481Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.984{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9DC-6113-C302-00000000E401}92C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000480Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.968{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000479Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.968{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000478Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000477Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D9DC-6113-C102-00000000E401}46764240C:\Windows\system32\conhost.exe{856D1934-D9DC-6113-C302-00000000E401}92C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000476Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000475Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000474Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000473Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000472Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000471Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000470Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9DC-6113-C302-00000000E401}92C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000469Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000468Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000467Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000466Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D9DC-6113-C202-00000000E401}1682548C:\Windows\system32\cmd.exe{856D1934-D9DC-6113-C302-00000000E401}92C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000465Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.957{856D1934-D9DC-6113-C302-00000000E401}92C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DC-6113-DF92-0E0000000000}0xe92df0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9DC-6113-C202-00000000E401}168C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000464Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.952{856D1934-D9DC-6113-C102-00000000E401}46764240C:\Windows\system32\conhost.exe{856D1934-D9DC-6113-C202-00000000E401}168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000463Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000462Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000461Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000460Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000459Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000458Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000457Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000456Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000455Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9DC-6113-C202-00000000E401}168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000454Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000453Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D9DC-6113-C002-00000000E401}36762144C:\Windows\system32\WinrsHost.exe{856D1934-D9DC-6113-C202-00000000E401}168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x8000000000000000452Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.948{856D1934-D9DC-6113-C202-00000000E401}168C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DC-6113-DF92-0E0000000000}0xe92df0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-D9DC-6113-C002-00000000E401}3676C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000451Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000450Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000449Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.937{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000448Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.921{856D1934-D932-6113-1300-00000000E401}10523876C:\Windows\system32\svchost.exe{856D1934-D9DC-6113-C002-00000000E401}3676C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000447Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.905{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9DC-6113-C002-00000000E401}3676C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000446Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D9DC-6113-C102-00000000E401}46764240C:\Windows\system32\conhost.exe{856D1934-D9DC-6113-C002-00000000E401}3676C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000445Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9DC-6113-C102-00000000E401}4676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000444Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000443Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000442Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000441Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000440Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000439Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000438Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000437Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000436Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000435Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DC-6113-C002-00000000E401}3676C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000434Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9DC-6113-C002-00000000E401}3676C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000433Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.892{856D1934-D9DC-6113-C002-00000000E401}3676C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-D9DC-6113-DF92-0E0000000000}0xe92df0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000432Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000431Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.890{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000430Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.874{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000429Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.717{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000428Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.717{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000427Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.701{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000426Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.686{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000425Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.686{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000424Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.686{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000423Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.654{856D1934-D9DB-6113-BB02-00000000E401}3764ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000422Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.623{856D1934-D9DB-6113-BC02-00000000E401}4180ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000421Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.475{856D1934-D930-6113-0B00-00000000E401}612_ldap._tcp.91e1cb78-958a-4f03-9cb9-dde214addfa4.domains._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000420Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.475{856D1934-D930-6113-0B00-00000000E401}612_ldap._tcp.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000419Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.474{856D1934-D930-6113-0B00-00000000E401}612_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000418Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.474{856D1934-D930-6113-0B00-00000000E401}612win-dc-837010.0.1.14;C:\Windows\System32\lsass.exe 13241300x8000000000000000417Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-SetValue2021-08-11 14:08:28.576{856D1934-D9DB-6113-BC02-00000000E401}4180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\MaxSizeDWORD (0x12d2c000) 23542300x8000000000000000416Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.309{856D1934-D9DB-6113-BC02-00000000E401}4180ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\whnd455n.pdbMD5=9FA5A84E90F16ACBDA5542D2A5902D41,SHA256=FFC79FB8A6D2BF4B8E48592F4F7E6AE2D267EBD05EBDB17A4CCE9EF97EA6B017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000415Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.294{856D1934-D9DB-6113-BC02-00000000E401}4180ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\whnd455n.cmdlineMD5=650A9CDC883BE6ECC48E844A4612AA2E,SHA256=3CDAB07294BC61E8931362D6494178948E1263B77018D24AD8183E6CB2EE80A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000414Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.294{856D1934-D9DB-6113-BC02-00000000E401}4180ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\whnd455n.dllMD5=5BFE11934F8F59822B68B16662CBBB48,SHA256=A624862B2E94F3D5A493D78371CFAEFD6F376FA6A97829111B83CD4B27E1F218,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000413Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.294{856D1934-D9DB-6113-BC02-00000000E401}4180ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\whnd455n.outMD5=9D51CFDB26C4661B8CC8C6DB1E687123,SHA256=E627E3135C0A740854FAF9CE1E454D06DCD0BAACB8EC93DD7EC46FB1408A2FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000412Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.294{856D1934-D9DB-6113-BC02-00000000E401}4180ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\whnd455n.0.csMD5=054C0A1487614BA970CB949FA443FFFB,SHA256=6B88C7F565FF6B5879B03F6F3622B596B63D0C76E3EC5751390A446AF187E21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000411Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.294{856D1934-D9DC-6113-BE02-00000000E401}4532ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC50AF935ECA940EDB7CD2367B7775B16.TMPMD5=3DEBCC18D93AB47B4845FD5F6EABB66F,SHA256=0AE1F7C1410ABB27B3FDE1C9CDC64B0B70D7918CE5434399BB92B66E2F44AA8C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000410Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:08:28.294{856D1934-D9DC-6113-BE02-00000000E401}4532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\whnd455n.dll2021-08-11 14:08:28.168 23542300x8000000000000000409Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.294{856D1934-D9DC-6113-BE02-00000000E401}4532ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\whnd455n.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000408Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.294{856D1934-D9DC-6113-BE02-00000000E401}4532ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESC3B3.tmpMD5=B03BA49F40C964C49E2B383C19EE7EFA,SHA256=1A75B574347AFFF8CB527ADC631286ED56533BF72DA1B112C92F6B5F90C21486,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000407Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.294{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000406Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.294{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000405Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.278{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000404Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.278{856D1934-D9DC-6113-BF02-00000000E401}4720ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESC3B3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000403Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.278{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7568A3120230B3A41BDA0571B4661383,SHA256=4F9177B78C5C9E66E07E7639A414F633C9A9B9A676F1BC5F5076C009008ACFC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000402Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.278{856D1934-D9DB-6113-B902-00000000E401}38883508C:\Windows\system32\conhost.exe{856D1934-D9DC-6113-BF02-00000000E401}4720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000401Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.278{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000400Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.278{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000399Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.278{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000398Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.278{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000397Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.278{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000396Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.278{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000395Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.262{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000394Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.262{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000393Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.262{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000392Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.262{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9DC-6113-BF02-00000000E401}4720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000391Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.262{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000390Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.262{856D1934-D9DC-6113-BE02-00000000E401}45324588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{856D1934-D9DC-6113-BF02-00000000E401}4720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000389Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.277{856D1934-D9DC-6113-BF02-00000000E401}4720C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESC3B3.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC50AF935ECA940EDB7CD2367B7775B16.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DB-6113-8E52-0E0000000000}0xe528e0HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{856D1934-D9DC-6113-BE02-00000000E401}4532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\whnd455n.cmdline" 10341000x8000000000000000388Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.262{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000387Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.262{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000386Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.262{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7568A3120230B3A41BDA0571B4661383,SHA256=4F9177B78C5C9E66E07E7639A414F633C9A9B9A676F1BC5F5076C009008ACFC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000385Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.262{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000384Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.262{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5B2DE40BAF9E379DC528CCA7EEBC7DC4,SHA256=A3A0ADAFCE0EFF988BEB078564226E721032F8E7A92205F0F01735D210C6709D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000383Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.262{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B491685932DCBC8F847BE7DAD2E2D4E9,SHA256=3162CC38629EAC12C8FD188CAC8663C54CD07D6850FB2BD39164A1A52AFEF76C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000382Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.207{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53207-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000381Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.207{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53207-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000380Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.192{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53206-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000379Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.192{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53206-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000378Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.189{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53205-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000377Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.188{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53205-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000376Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.061{856D1934-D932-6113-1100-00000000E401}464C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-837.attackrange.local123ntpfalse20.101.57.9-123ntp 10341000x8000000000000000375Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.184{856D1934-D9DB-6113-B902-00000000E401}38883508C:\Windows\system32\conhost.exe{856D1934-D9DC-6113-BE02-00000000E401}4532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000374Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.168{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DC-6113-BE02-00000000E401}4532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000373Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.184{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000372Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.184{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000371Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.184{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000370Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.184{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000369Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.184{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000368Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.184{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000367Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.184{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000366Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.184{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000365Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.168{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000364Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.168{856D1934-D9DB-6113-BC02-00000000E401}41804796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{856D1934-D9DC-6113-BE02-00000000E401}4532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+7d88f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+7d836a|UNKNOWN(00007FF8A463BB0F) 154100x8000000000000000363Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.183{856D1934-D9DC-6113-BE02-00000000E401}4532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\whnd455n.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DB-6113-8E52-0E0000000000}0xe528e0HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{856D1934-D9DB-6113-BC02-00000000E401}4180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000362Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.168{856D1934-D9DB-6113-BC02-00000000E401}4180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\whnd455n.cmdline2021-08-11 14:08:28.168 11241100x8000000000000000361Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:08:28.168{856D1934-D9DB-6113-BC02-00000000E401}4180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\whnd455n.dll2021-08-11 14:08:28.168 10341000x8000000000000000360Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.168{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D9BC-6113-3B02-00000000E401}1500C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000359Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.168{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D9BC-6113-3B02-00000000E401}1500C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000358Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.469{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local58916- 354300x8000000000000000357Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.469{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local59714- 354300x8000000000000000356Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.469{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local56373- 354300x8000000000000000355Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.184{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53204-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000354Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:26.184{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53204-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 23542300x8000000000000000575Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.988{856D1934-D9DD-6113-C602-00000000E401}2388ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSCA2DC816F3A9644C3905C3442B5243A5F.TMPMD5=9C0D7F269170355205BA4C240BFD9B90,SHA256=92F583C196E52276E6F2A4923A8845C0B27C635A243A7E402C5C2324ADBDC845,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000574Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:08:29.972{856D1934-D9DD-6113-C602-00000000E401}2388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\gznaxgoq.dll2021-08-11 14:08:29.846 23542300x8000000000000000573Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.972{856D1934-D9DD-6113-C602-00000000E401}2388ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\gznaxgoq.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.972{856D1934-D9DD-6113-C602-00000000E401}2388ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESCA4B.tmpMD5=36A5D7DF06147BE5958C9BD61A0E51B1,SHA256=E05DACA264A91BC8B97607354C6C178A00F9AC98C8628809AA61175328FC8BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.972{856D1934-D9DD-6113-C702-00000000E401}3016ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESCA4B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000570Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.972{856D1934-D9DC-6113-C102-00000000E401}46764240C:\Windows\system32\conhost.exe{856D1934-D9DD-6113-C702-00000000E401}3016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000569Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.972{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000568Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.972{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000567Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.972{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000566Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.972{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000565Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.972{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000564Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.972{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000563Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.956{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000562Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.956{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000561Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.956{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000560Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.956{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9DD-6113-C702-00000000E401}3016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000559Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.956{856D1934-D9DD-6113-C602-00000000E401}23884836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{856D1934-D9DD-6113-C702-00000000E401}3016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000558Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.970{856D1934-D9DD-6113-C702-00000000E401}3016C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESCA4B.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCA2DC816F3A9644C3905C3442B5243A5F.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DC-6113-DF92-0E0000000000}0xe92df0HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{856D1934-D9DD-6113-C602-00000000E401}2388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\gznaxgoq.cmdline" 10341000x8000000000000000557Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.893{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000556Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.893{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000555Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.878{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000554Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.862{856D1934-D9DC-6113-C102-00000000E401}46764240C:\Windows\system32\conhost.exe{856D1934-D9DD-6113-C602-00000000E401}2388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000553Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.862{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000552Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.862{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000551Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.862{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000550Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.862{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000549Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.862{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000548Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.862{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000547Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.862{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000546Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.862{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000545Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.862{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000544Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.862{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9DD-6113-C602-00000000E401}2388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000543Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.862{856D1934-D9DD-6113-C402-00000000E401}46643372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{856D1934-D9DD-6113-C602-00000000E401}2388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+7d88f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+7d836a|UNKNOWN(00007FF8A463BB0F) 154100x8000000000000000542Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.862{856D1934-D9DD-6113-C602-00000000E401}2388C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\gznaxgoq.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DC-6113-DF92-0E0000000000}0xe92df0HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{856D1934-D9DD-6113-C402-00000000E401}4664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000541Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.846{856D1934-D9DD-6113-C402-00000000E401}4664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\gznaxgoq.cmdline2021-08-11 14:08:29.846 11241100x8000000000000000540Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:08:29.846{856D1934-D9DD-6113-C402-00000000E401}4664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\gznaxgoq.dll2021-08-11 14:08:29.846 354300x8000000000000000539Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.250{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53212-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000538Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.250{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53212-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000537Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.245{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53211-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000536Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.245{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53211-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000535Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.241{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53210-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000534Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.241{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53210-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000533Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.236{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53209-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000532Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.236{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53209-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000531Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.765{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local59925- 354300x8000000000000000530Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.277{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.91.53ppp-93-104-91-53.dynamic.mnet-online.de53863-false10.0.1.14win-dc-837.attackrange.local5986- 10341000x8000000000000000529Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000528Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000527Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000526Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D9DC-6113-C102-00000000E401}46764240C:\Windows\system32\conhost.exe{856D1934-D9DD-6113-C502-00000000E401}3612C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000525Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000524Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000523Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000522Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000521Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000520Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000519Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000518Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000517Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000516Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000515Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9DD-6113-C502-00000000E401}3612C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000514Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.297{856D1934-D9DD-6113-C402-00000000E401}46643372C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{856D1934-D9DD-6113-C502-00000000E401}3612C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fabe73d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b4f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b12d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fab3279b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa01809f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa07bb11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05db20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05db20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05d9b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa04e6d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05bc13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b7e0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b4f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b12d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fab3279b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa0403d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa03f94a(wow64) 154100x8000000000000000513Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.298{856D1934-D9DD-6113-C502-00000000E401}3612C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DC-6113-DF92-0E0000000000}0xe92df0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{856D1934-D9DD-6113-C402-00000000E401}4664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000512Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.282{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000511Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.282{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000510Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.282{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000509Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.219{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9DD-6113-C402-00000000E401}4664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000508Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.219{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9DD-6113-C402-00000000E401}4664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000507Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:29.203{856D1934-D9DD-6113-C402-00000000E401}4664\PSHost.132731645091228528.4664.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000506Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.188{856D1934-D9DD-6113-C402-00000000E401}4664ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0sf0gqoc.pnf.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000505Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.188{856D1934-D9DD-6113-C402-00000000E401}4664ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4y51wfui.kwl.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000504Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.172{856D1934-D9DD-6113-C402-00000000E401}4664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4y51wfui.kwl.ps12021-08-11 14:08:29.172 10341000x8000000000000000503Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.156{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9DD-6113-C402-00000000E401}4664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000502Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.125{856D1934-D9DC-6113-C102-00000000E401}46764240C:\Windows\system32\conhost.exe{856D1934-D9DD-6113-C402-00000000E401}4664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000501Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.109{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000500Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.109{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000499Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.109{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000498Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.109{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000497Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.109{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000496Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.109{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000495Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.109{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000494Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.109{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000493Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.109{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000492Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.109{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9DD-6113-C402-00000000E401}4664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000491Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.109{856D1934-D9DC-6113-C302-00000000E401}924752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{856D1934-D9DD-6113-C402-00000000E401}4664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+8651fe96(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+85993faf(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+85993bea(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+8646b258(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+85950b5c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+859b45ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+859965dd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+859965dd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+8599646e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+8598718e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+859946d0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+8599429d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+85993faf(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+85993bea(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+8646b258(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+85978e95(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+85978407(wow64) 154100x8000000000000000490Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.122{856D1934-D9DD-6113-C402-00000000E401}4664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DC-6113-DF92-0E0000000000}0xe92df0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9DC-6113-C302-00000000E401}92C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000489Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.062{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9DC-6113-C302-00000000E401}92C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000488Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.062{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9DC-6113-C302-00000000E401}92C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000487Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.213{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53208-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000486Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:27.212{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53208-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 17141700x8000000000000000485Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:29.031{856D1934-D9DC-6113-C302-00000000E401}92\PSHost.132731645089573249.92.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000484Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.015{856D1934-D9DC-6113-C302-00000000E401}92ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_05rinvjl.23r.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000483Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.015{856D1934-D9DC-6113-C302-00000000E401}92ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_e4tcrpbf.f3g.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000482Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.999{856D1934-D9DC-6113-C302-00000000E401}92C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_e4tcrpbf.f3g.ps12021-08-11 14:08:28.999 354300x8000000000000000662Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.446{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000661Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.431{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000660Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.279{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53216-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000659Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.279{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53216-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000658Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.275{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53215-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000657Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.275{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53215-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000656Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.271{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53214-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000655Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.271{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53214-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000654Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.267{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53213-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000653Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.267{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53213-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000652Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:28.807{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.91.53ppp-93-104-91-53.dynamic.mnet-online.de53868-false10.0.1.14win-dc-837.attackrange.local5986- 10341000x8000000000000000651Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.781{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9DE-6113-CB02-00000000E401}3940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000650Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.781{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9DE-6113-CB02-00000000E401}3940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000649Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:30.740{856D1934-D9DE-6113-CB02-00000000E401}3940\PSHost.132731645106310481.3940.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000648Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.725{856D1934-D9DE-6113-CB02-00000000E401}3940ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nhga3hg5.k0x.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000647Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.710{856D1934-D9DE-6113-CB02-00000000E401}3940ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bokmb2vk.xbr.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000646Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.695{856D1934-D9DE-6113-CB02-00000000E401}3940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bokmb2vk.xbr.ps12021-08-11 14:08:30.695 10341000x8000000000000000645Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.662{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9DE-6113-CB02-00000000E401}3940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000644Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000643Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000642Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000641Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D9DE-6113-C902-00000000E401}51004956C:\Windows\system32\conhost.exe{856D1934-D9DE-6113-CB02-00000000E401}3940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000640Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000639Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000638Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000637Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000636Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000635Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000634Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000633Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000632Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000631Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9DE-6113-CB02-00000000E401}3940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000630Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D9DE-6113-CA02-00000000E401}48644964C:\Windows\system32\cmd.exe{856D1934-D9DE-6113-CB02-00000000E401}3940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000629Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.631{856D1934-D9DE-6113-CB02-00000000E401}3940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DE-6113-CAD1-0E0000000000}0xed1ca0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9DE-6113-CA02-00000000E401}4864C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000628Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.615{856D1934-D9DE-6113-C902-00000000E401}51004956C:\Windows\system32\conhost.exe{856D1934-D9DE-6113-CA02-00000000E401}4864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000627Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.615{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000626Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.615{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000625Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.615{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000624Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.615{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000623Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.615{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000622Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.615{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000621Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.615{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000620Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.615{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000619Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.615{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9DE-6113-CA02-00000000E401}4864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000618Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.615{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000617Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.615{856D1934-D9DE-6113-C802-00000000E401}41244172C:\Windows\system32\WinrsHost.exe{856D1934-D9DE-6113-CA02-00000000E401}4864C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x8000000000000000616Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.623{856D1934-D9DE-6113-CA02-00000000E401}4864C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DE-6113-CAD1-0E0000000000}0xed1ca0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-D9DE-6113-C802-00000000E401}4124C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000615Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.615{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000614Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.599{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000613Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.599{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000612Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.584{856D1934-D932-6113-1300-00000000E401}10523876C:\Windows\system32\svchost.exe{856D1934-D9DE-6113-C802-00000000E401}4124C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000611Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.584{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9DE-6113-C802-00000000E401}4124C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000610Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.552{856D1934-D9DE-6113-C902-00000000E401}51004956C:\Windows\system32\conhost.exe{856D1934-D9DE-6113-C802-00000000E401}4124C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000609Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.552{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9DE-6113-C902-00000000E401}5100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000608Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000607Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000606Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000605Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000604Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000603Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000602Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000601Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000600Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000599Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9DE-6113-C802-00000000E401}4124C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000598Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9DE-6113-C802-00000000E401}4124C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000597Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.545{856D1934-D9DE-6113-C802-00000000E401}4124C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-D9DE-6113-CAD1-0E0000000000}0xed1ca0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000596Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000595Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000594Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.537{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000593Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.427{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000592Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.427{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000591Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.427{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000590Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.411{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000589Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.411{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000588Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.411{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000587Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.380{856D1934-D9DC-6113-C302-00000000E401}92ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000586Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.348{856D1934-D9DD-6113-C402-00000000E401}4664ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000585Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.333{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000584Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.333{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000583Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.333{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000582Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.333{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x8000000000000000581Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-SetValue2021-08-11 14:08:30.301{856D1934-D9DD-6113-C402-00000000E401}4664C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\RetentionDWORD (0x00000000) 23542300x8000000000000000580Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.003{856D1934-D9DD-6113-C402-00000000E401}4664ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\gznaxgoq.cmdlineMD5=6A77B64CA8951E70884AABEEBA4EFE4D,SHA256=63D13C9A1076A4D7387AF84CD2F09B97FF83F3F83349CA9B6B6DD6ED1F53E0EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.003{856D1934-D9DD-6113-C402-00000000E401}4664ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\gznaxgoq.outMD5=4737AC4D402D1C0CFE05789BCE06D806,SHA256=EED8991EC78226882E6DA37E299CAC5127B87923EF6D4E35D0022534FB300004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.988{856D1934-D9DD-6113-C402-00000000E401}4664ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\gznaxgoq.0.csMD5=054C0A1487614BA970CB949FA443FFFB,SHA256=6B88C7F565FF6B5879B03F6F3622B596B63D0C76E3EC5751390A446AF187E21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.988{856D1934-D9DD-6113-C402-00000000E401}4664ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\gznaxgoq.pdbMD5=0FF00E15FB8B849B8AB3A0FA1128FC74,SHA256=E786BFB9094E240E4185787971C0FAC37549497DDA86E13940B4804F091BFA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000576Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:29.988{856D1934-D9DD-6113-C402-00000000E401}4664ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\gznaxgoq.dllMD5=A56E0055BA7A6F59DD9BE547694AAB61,SHA256=BCF9E820DFF8639C6BE394D8966E4FACBBDE768165F168B5747A0CD7B5F481D7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 10341000x8000000000000000811Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.863{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9DF-6113-D302-00000000E401}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.863{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9DF-6113-D302-00000000E401}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000809Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:31.832{856D1934-D9DF-6113-D302-00000000E401}856\PSHost.132731645117711000.856.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000808Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.816{856D1934-D9DF-6113-D302-00000000E401}856ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5is2ib0b.qi3.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.816{856D1934-D9DF-6113-D302-00000000E401}856ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kkr1uutg.dtl.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000806Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.816{856D1934-D9DF-6113-D302-00000000E401}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kkr1uutg.dtl.ps12021-08-11 14:08:31.816 10341000x8000000000000000805Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.800{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9DF-6113-D302-00000000E401}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000804Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000803Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000802Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000801Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D9DF-6113-D102-00000000E401}50643468C:\Windows\system32\conhost.exe{856D1934-D9DF-6113-D302-00000000E401}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000800Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000799Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000798Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000797Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000796Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000795Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000794Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000793Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000792Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000791Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DF-6113-D302-00000000E401}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000790Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.769{856D1934-D9DF-6113-D202-00000000E401}35923324C:\Windows\system32\cmd.exe{856D1934-D9DF-6113-D302-00000000E401}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000789Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.771{856D1934-D9DF-6113-D302-00000000E401}856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DF-6113-2524-0F0000000000}0xf24250HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9DF-6113-D202-00000000E401}3592C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000788Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D9DF-6113-D102-00000000E401}50643468C:\Windows\system32\conhost.exe{856D1934-D9DF-6113-D202-00000000E401}3592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000787Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000786Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000785Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000784Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000783Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000782Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000781Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000780Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000779Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DF-6113-D202-00000000E401}3592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000778Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000777Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D9DF-6113-D002-00000000E401}42284544C:\Windows\system32\WinrsHost.exe{856D1934-D9DF-6113-D202-00000000E401}3592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x8000000000000000776Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.764{856D1934-D9DF-6113-D202-00000000E401}3592C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DF-6113-2524-0F0000000000}0xf24250HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-D9DF-6113-D002-00000000E401}4228C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000775Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000774Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000773Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.753{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000772Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.738{856D1934-D932-6113-1300-00000000E401}10523876C:\Windows\system32\svchost.exe{856D1934-D9DF-6113-D002-00000000E401}4228C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000771Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.722{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9DF-6113-D002-00000000E401}4228C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000770Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.706{856D1934-D9DF-6113-D102-00000000E401}50643468C:\Windows\system32\conhost.exe{856D1934-D9DF-6113-D002-00000000E401}4228C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000769Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.706{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DF-6113-D102-00000000E401}5064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000768Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.706{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000767Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.706{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000766Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.706{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000765Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.706{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000764Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.706{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000763Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.706{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000762Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.706{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000761Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.706{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9DF-6113-D002-00000000E401}4228C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000760Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.706{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000759Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.706{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000758Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.691{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9DF-6113-D002-00000000E401}4228C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000757Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.706{856D1934-D9DF-6113-D002-00000000E401}4228C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-D9DF-6113-2524-0F0000000000}0xf24250HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000756Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.691{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000755Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.691{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000754Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.691{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000753Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.612{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000752Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.612{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000751Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.612{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000750Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.581{856D1934-D9DF-6113-CD02-00000000E401}4848ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000749Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.534{856D1934-D9DF-6113-CE02-00000000E401}5048ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000748Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.503{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000747Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.503{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000746Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.503{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000745Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.503{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000744Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.503{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000743Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.503{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000742Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.456{856D1934-D9DE-6113-C902-00000000E401}51004956C:\Windows\system32\conhost.exe{856D1934-D9DF-6113-CF02-00000000E401}4872C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000741Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.456{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000740Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.456{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000739Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.456{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DF-6113-CF02-00000000E401}4872C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000738Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.456{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000737Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.456{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000736Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.456{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000735Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.456{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000734Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.456{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000733Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.456{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000732Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.456{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000731Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.456{856D1934-D9DF-6113-CE02-00000000E401}50484996C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{856D1934-D9DF-6113-CF02-00000000E401}4872C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fabe73d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b4f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b12d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fab3279b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa01809f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa07bb11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05db20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05db20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05d9b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa04e6d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05bc13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b7e0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b4f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa05b12d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fab3279b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa0403d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+fa03f94a(wow64) 154100x8000000000000000730Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.455{856D1934-D9DF-6113-CF02-00000000E401}4872C:\Windows\System32\shutdown.exe10.0.14393.0 (rs1_release.160715-1616)Windows Shutdown and Annotation ToolMicrosoft® Windows® Operating SystemMicrosoft CorporationSHUTDOWN.EXE"C:\Windows\system32\shutdown.exe" /r /t 2 /c "Reboot initiated by Ansible"C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DE-6113-CAD1-0E0000000000}0xed1ca0HighMD5=547993395376742A437D3145AF6B0309,SHA256=F96073C3442EA0A99B4945394007602772DB36732D1511DC2068519526678F8A,IMPHASH=609F1D7580ED496A3076AEBA77DAFC7E{856D1934-D9DF-6113-CE02-00000000E401}5048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA== 10341000x8000000000000000729Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.361{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000728Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.361{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000727Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.361{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000726Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.361{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9DF-6113-CE02-00000000E401}5048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000725Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.361{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9DF-6113-CE02-00000000E401}5048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000724Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.361{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 17141700x8000000000000000723Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:31.330{856D1934-D9DF-6113-CE02-00000000E401}5048\PSHost.132731645112610676.5048.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000722Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.314{856D1934-D9DF-6113-CE02-00000000E401}5048ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5dcm1o1m.h0t.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000721Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.314{856D1934-D9DF-6113-CE02-00000000E401}5048ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_g1ucfpk4.zep.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000720Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.314{856D1934-D9DF-6113-CE02-00000000E401}5048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_g1ucfpk4.zep.ps12021-08-11 14:08:31.314 10341000x8000000000000000719Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.299{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9DF-6113-CE02-00000000E401}5048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000718Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.251{856D1934-D9DE-6113-C902-00000000E401}51004956C:\Windows\system32\conhost.exe{856D1934-D9DF-6113-CE02-00000000E401}5048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000717Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.251{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000716Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.251{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000715Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.251{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000714Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.251{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000713Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.251{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000712Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.251{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000711Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.251{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000710Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.251{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000709Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.251{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DF-6113-CE02-00000000E401}5048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000708Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.251{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000707Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.251{856D1934-D9DF-6113-CD02-00000000E401}48483836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{856D1934-D9DF-6113-CE02-00000000E401}5048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3d303da9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c777ec2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c777afd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3d24f16b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c734a6f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c7984e1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c77a4f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c77a4f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c77a381|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c76b0a1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c7785e3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c7781b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c777ec2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c777afd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3d24f16b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c75cda8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\ab51aa242a56b8f1b0d6f775f92f7af2\System.Management.Automation.ni.dll+3c75c31a 154100x8000000000000000706Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.261{856D1934-D9DF-6113-CE02-00000000E401}5048C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA==C:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DE-6113-CAD1-0E0000000000}0xed1ca0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9DF-6113-CD02-00000000E401}4848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000705Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.189{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9DF-6113-CD02-00000000E401}4848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000704Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.189{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D9DF-6113-CD02-00000000E401}4848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000703Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:31.173{856D1934-D9DF-6113-CD02-00000000E401}4848\PSHost.132731645110999447.4848.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000702Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.157{856D1934-D9DF-6113-CD02-00000000E401}4848ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yye5j1pa.klu.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000701Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.157{856D1934-D9DF-6113-CD02-00000000E401}4848ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bovegheg.uv5.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000700Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.142{856D1934-D9DF-6113-CD02-00000000E401}4848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bovegheg.uv5.ps12021-08-11 14:08:31.142 10341000x8000000000000000699Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.126{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9DF-6113-CD02-00000000E401}4848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000698Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.110{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000697Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.110{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000696Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000695Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D9DE-6113-C902-00000000E401}51004956C:\Windows\system32\conhost.exe{856D1934-D9DF-6113-CD02-00000000E401}4848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000694Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000693Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000692Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000691Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000690Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000689Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000688Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000687Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000686Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000685Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DF-6113-CD02-00000000E401}4848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000684Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D9DF-6113-CC02-00000000E401}48444852C:\Windows\system32\cmd.exe{856D1934-D9DF-6113-CD02-00000000E401}4848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000683Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.099{856D1934-D9DF-6113-CD02-00000000E401}4848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DE-6113-CAD1-0E0000000000}0xed1ca0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9DF-6113-CC02-00000000E401}4844C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000682Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.095{856D1934-D9DE-6113-C902-00000000E401}51004956C:\Windows\system32\conhost.exe{856D1934-D9DF-6113-CC02-00000000E401}4844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000681Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000680Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000679Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000678Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9DF-6113-CC02-00000000E401}4844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D9DE-6113-C802-00000000E401}41244172C:\Windows\system32\WinrsHost.exe{856D1934-D9DF-6113-CC02-00000000E401}4844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x8000000000000000670Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.088{856D1934-D9DF-6113-CC02-00000000E401}4844C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9DE-6113-CAD1-0E0000000000}0xed1ca0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-D9DE-6113-C802-00000000E401}4124C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000669Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000668Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000667Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.079{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000666Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.063{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000665Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.063{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000664Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.048{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000663Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.016{856D1934-D9DE-6113-CB02-00000000E401}3940ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000829Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.930{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9709D4D9F205820AA56B81A9EC23112,SHA256=5D784CB08E82F4B1E1F23F3513CA704AE4E29957E50CE3A530FD305AFFA2906C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000828Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.930{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CCDF43E9617CBA348E03D47370903F95,SHA256=F319C93EABEE13A3546AB9477A8ED8D810BFF189F01289565B7A8E008D22D962,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000827Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.396{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000826Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.396{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000825Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.396{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000824Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.396{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000823Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.308{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53222-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000822Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.308{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53222-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000821Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.305{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53221-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000820Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.305{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53221-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000819Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.301{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53220-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000818Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.301{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53220-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000817Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.298{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53219-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000816Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.297{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53219-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x8000000000000000815Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.083{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000814Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.083{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000813Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.067{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000812Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.036{856D1934-D9DF-6113-D302-00000000E401}856ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000879Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.980{856D1934-D932-6113-1300-00000000E401}10523876C:\Windows\system32\svchost.exe{856D1934-D9E1-6113-D402-00000000E401}4796C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000878Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.949{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9E1-6113-D402-00000000E401}4796C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000877Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.903{856D1934-D9E1-6113-D502-00000000E401}47844156C:\Windows\system32\conhost.exe{856D1934-D9E1-6113-D402-00000000E401}4796C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000876Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.870{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9E1-6113-D502-00000000E401}4784C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000875Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.870{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000874Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.870{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000873Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.870{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000872Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.870{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000871Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.870{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000870Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.870{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000869Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.870{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000868Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.870{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000867Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.870{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000866Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.855{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9E1-6113-D402-00000000E401}4796C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000865Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.855{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9E1-6113-D402-00000000E401}4796C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000864Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.868{856D1934-D9E1-6113-D402-00000000E401}4796C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-D9E1-6113-2347-0F0000000000}0xf47230HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000863Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.855{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000862Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.855{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000861Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.855{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000860Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.761{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=202C1DBF22B576D27A1627EC8A430EDB,SHA256=C3212A5F043C0189416B05E1EEB60CB1BA523592440B1D3309D84E7D16CB0775,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000859Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000858Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000857Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000856Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000855Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000854Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840976C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000853Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000852Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840976C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000851Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840976C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000850Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5d917|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000849Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840976C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000848Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840976C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000847Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840976C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000846Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000845Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.510{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000844Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.416{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000843Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.416{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000842Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.416{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000841Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.416{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000840Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.610{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.91.53ppp-93-104-91-53.dynamic.mnet-online.de53870-false10.0.1.14win-dc-837.attackrange.local5986- 354300x8000000000000000839Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.335{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53226-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000838Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.335{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53226-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000837Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.332{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53225-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000836Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.331{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53225-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000835Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.327{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53224-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000834Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.327{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53224-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000833Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.323{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53223-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000832Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:31.323{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53223-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000831Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.822{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local58431- 354300x8000000000000000830Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:30.454{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.91.53ppp-93-104-91-53.dynamic.mnet-online.de53869-false10.0.1.14win-dc-837.attackrange.local5986- 10341000x8000000000000000943Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.686{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000942Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.686{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000941Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.686{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000940Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-SetValue2021-08-11 14:08:34.686{856D1934-D932-6113-1100-00000000E401}464C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d78eba-0x5f6ec233) 23542300x8000000000000000939Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.639{856D1934-D9E2-6113-D702-00000000E401}4988ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000938Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.381{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53234-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000937Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.378{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53233-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000936Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.378{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53233-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000935Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.373{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53232-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000934Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.373{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53232-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000933Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.369{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53231-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000932Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.369{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53231-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x8000000000000000931Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.499{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000930Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.499{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000929Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.482{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000928Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.482{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000927Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.451{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000926Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.372{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9E2-6113-D702-00000000E401}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000925Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.372{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9E2-6113-D702-00000000E401}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000924Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.365{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53230-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000923Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.365{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53230-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000922Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.361{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53229-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000921Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.361{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53229-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000920Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.357{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53228-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000919Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.357{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53228-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000918Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.354{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53227-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000917Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:32.354{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53227-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 17141700x8000000000000000916Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:34.310{856D1934-D9E2-6113-D702-00000000E401}4988\PSHost.132731645140489597.4988.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000915Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.247{856D1934-D9E2-6113-D702-00000000E401}4988ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_omzlwetk.v1u.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000914Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.247{856D1934-D9E2-6113-D702-00000000E401}4988ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_illon2tk.dwc.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000913Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.168{856D1934-D9E2-6113-D702-00000000E401}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_illon2tk.dwc.ps12021-08-11 14:08:34.168 10341000x8000000000000000912Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.121{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9E2-6113-D702-00000000E401}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000911Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.059{856D1934-D9E1-6113-D502-00000000E401}47844156C:\Windows\system32\conhost.exe{856D1934-D9E2-6113-D702-00000000E401}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000910Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000909Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000908Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000907Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000906Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000905Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000904Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9E2-6113-D702-00000000E401}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000903Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000902Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000901Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000900Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000899Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000898Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D9E2-6113-D602-00000000E401}10121200C:\Windows\system32\cmd.exe{856D1934-D9E2-6113-D702-00000000E401}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000897Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.048{856D1934-D9E2-6113-D702-00000000E401}4988C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9E1-6113-2347-0F0000000000}0xf47230HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9E2-6113-D602-00000000E401}1012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000896Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.043{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000895Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.031{856D1934-D9E1-6113-D502-00000000E401}47844156C:\Windows\system32\conhost.exe{856D1934-D9E2-6113-D602-00000000E401}1012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000894Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.031{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000893Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.031{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000892Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.031{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000891Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.031{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000890Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.031{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000889Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.031{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000888Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.012{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000887Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.012{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000886Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.012{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000885Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.012{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9E2-6113-D602-00000000E401}1012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000884Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.012{856D1934-D9E1-6113-D402-00000000E401}47964768C:\Windows\system32\WinrsHost.exe{856D1934-D9E2-6113-D602-00000000E401}1012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x8000000000000000883Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.026{856D1934-D9E2-6113-D602-00000000E401}1012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9E1-6113-2347-0F0000000000}0xf47230HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-D9E1-6113-D402-00000000E401}4796C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000882Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.012{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000881Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.012{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000880Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.996{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000954Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.418{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53236-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000953Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.418{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53236-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000952Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.401{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53235-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000951Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.401{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53235-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x8000000000000000950Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.533{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000949Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.533{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000948Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.517{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000947Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.517{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000946Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.517{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000945Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.755{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.91.53ppp-93-104-91-53.dynamic.mnet-online.de53873-false10.0.1.14win-dc-837.attackrange.local5986- 354300x8000000000000000944Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:33.381{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53234-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000972Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.485{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53243-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000971Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.485{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53243-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000970Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.474{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53242-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000969Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.474{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53242-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000968Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.470{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53241-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000967Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.470{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53241-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000966Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.464{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53240-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000965Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.464{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53240-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x8000000000000000964Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:36.583{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000963Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:36.583{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000962Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:36.568{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000961Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:36.568{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000960Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.456{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53239-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000959Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.456{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53239-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000958Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.450{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53238-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000957Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.450{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53238-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000956Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.440{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53237-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000955Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:34.440{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53237-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001044Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.869{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9E5-6113-DB02-00000000E401}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001043Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.869{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9E5-6113-DB02-00000000E401}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001042Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:37.838{856D1934-D9E5-6113-DB02-00000000E401}4840\PSHost.132731645176813367.4840.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001041Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.775{856D1934-D9E5-6113-DB02-00000000E401}4840ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_xzknydj3.myi.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001040Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.775{856D1934-D9E5-6113-DB02-00000000E401}4840ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_jrrx2xfm.2yy.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001039Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:36.531{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53248-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001038Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:36.531{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53248-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001037Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:36.526{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53247-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001036Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:36.526{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53247-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001035Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:36.513{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53246-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001034Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:36.513{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53246-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001033Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:36.510{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53245-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001032Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:36.510{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53245-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 11241100x80000000000000001031Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.759{856D1934-D9E5-6113-DB02-00000000E401}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_jrrx2xfm.2yy.ps12021-08-11 14:08:37.759 10341000x80000000000000001030Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.745{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9E5-6113-DB02-00000000E401}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001029Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001028Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001027Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001026Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D9E5-6113-D902-00000000E401}37044128C:\Windows\system32\conhost.exe{856D1934-D9E5-6113-DB02-00000000E401}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001025Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001024Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001023Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001022Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001021Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001020Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001019Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001018Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9E5-6113-DB02-00000000E401}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001017Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001016Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001015Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D9E5-6113-DA02-00000000E401}30164932C:\Windows\system32\cmd.exe{856D1934-D9E5-6113-DB02-00000000E401}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001014Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.681{856D1934-D9E5-6113-DB02-00000000E401}4840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9E5-6113-BC6D-0F0000000000}0xf6dbc0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9E5-6113-DA02-00000000E401}3016C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000001013Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.665{856D1934-D9E5-6113-D902-00000000E401}37044128C:\Windows\system32\conhost.exe{856D1934-D9E5-6113-DA02-00000000E401}3016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001012Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.665{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9E5-6113-DA02-00000000E401}3016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001011Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.665{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001010Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.665{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001009Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.665{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001008Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.665{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001007Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.665{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001006Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.665{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001005Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.665{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001004Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.665{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001003Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.665{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001002Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.665{856D1934-D9E5-6113-D802-00000000E401}20844892C:\Windows\system32\WinrsHost.exe{856D1934-D9E5-6113-DA02-00000000E401}3016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000001001Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.668{856D1934-D9E5-6113-DA02-00000000E401}3016C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9E5-6113-BC6D-0F0000000000}0xf6dbc0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-D9E5-6113-D802-00000000E401}2084C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000001000Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.650{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000999Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.650{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000998Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.650{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000997Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.650{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000996Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.634{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000995Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.634{856D1934-D932-6113-1300-00000000E401}10523876C:\Windows\system32\svchost.exe{856D1934-D9E5-6113-D802-00000000E401}2084C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000994Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.618{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000993Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.618{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9E5-6113-D802-00000000E401}2084C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000992Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.603{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000991Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.587{856D1934-D9E5-6113-D902-00000000E401}37044128C:\Windows\system32\conhost.exe{856D1934-D9E5-6113-D802-00000000E401}2084C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000990Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.571{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9E5-6113-D902-00000000E401}3704C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000989Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000988Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000987Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000986Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000985Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000984Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000983Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000982Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000981Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000980Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9E5-6113-D802-00000000E401}2084C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000979Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9E5-6113-D802-00000000E401}2084C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000978Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.566{856D1934-D9E5-6113-D802-00000000E401}2084C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-D9E5-6113-BC6D-0F0000000000}0xf6dbc0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000977Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000976Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000975Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.556{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000974Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.489{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53244-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x8000000000000000973Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:35.489{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53244-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001059Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.580{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53251-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001058Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.580{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53251-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001057Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.565{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53250-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001056Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.565{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53250-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001055Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.550{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53249-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001054Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.550{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53249-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001053Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.684{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001052Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.684{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001051Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.684{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001050Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.684{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001049Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.446{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.91.53ppp-93-104-91-53.dynamic.mnet-online.de53874-false10.0.1.14win-dc-837.attackrange.local5986- 10341000x80000000000000001048Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.167{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.167{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.167{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.120{856D1934-D9E5-6113-DB02-00000000E401}4840ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001072Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.627{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53255-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001071Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.627{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53255-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001070Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.623{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53254-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001069Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.623{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53254-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001068Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.619{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53253-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001067Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.619{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53253-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001066Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:39.751{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001065Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:39.735{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001064Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:39.735{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001063Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:39.719{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001062Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:39.500{856D1934-D932-6113-1000-00000000E401}388NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DDF8B40A817FF4DF1B3D89951ECCE58E,SHA256=2F7BB1B8F20284568CD24196C583663F98A52F8DFCD960C543AD061CB4D3271D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001061Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.600{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53252-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001060Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:37.600{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53252-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001088Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:39.672{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53259-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001087Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:39.672{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53259-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001086Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:39.664{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53258-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001085Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:39.664{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53258-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001084Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:39.651{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53257-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001083Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:39.651{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53257-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001082Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.770{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001081Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.770{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001080Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.770{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001079Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.770{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001078Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.631{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53256-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001077Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:38.631{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53256-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001076Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.174{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9E8-6113-DC02-00000000E401}4540C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001075Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.174{856D1934-D932-6113-1600-00000000E401}13001536C:\Windows\System32\svchost.exe{856D1934-D9E8-6113-DC02-00000000E401}4540C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001074Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.174{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D932-6113-1600-00000000E401}1300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001073Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.174{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D932-6113-1600-00000000E401}1300C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001101Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.705{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53263-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001100Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.705{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53263-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001099Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.701{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53262-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001098Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.701{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53262-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001097Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.697{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53261-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001096Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.697{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53261-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001095Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:41.804{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001094Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:41.804{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001093Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:41.804{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001092Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:41.804{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001091Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:41.585{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1389588F480FBD5FBFCD05409A09FC18,SHA256=F9B395CEB52B5F2ED9DF1D76FDA9B2A29ABDE82096F2619CC781DBD3E79C5981,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001090Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:39.683{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53260-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001089Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:39.683{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53260-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001169Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.839{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001168Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.839{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001167Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.839{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001166Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.839{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001165Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.824{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001164Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.824{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001163Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.824{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001162Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.792{856D1934-D9EA-6113-E002-00000000E401}3412ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001161Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.588{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9EA-6113-E002-00000000E401}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001160Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.588{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9EA-6113-E002-00000000E401}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001159Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:42.541{856D1934-D9EA-6113-E002-00000000E401}3412\PSHost.132731645224395506.3412.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001158Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.510{856D1934-D9EA-6113-E002-00000000E401}3412ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_munnjqub.qho.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001157Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.510{856D1934-D9EA-6113-E002-00000000E401}3412ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yq1jqnuk.t35.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001156Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.494{856D1934-D9EA-6113-E002-00000000E401}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yq1jqnuk.t35.ps12021-08-11 14:08:42.494 354300x80000000000000001155Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.709{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53264-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001154Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:40.709{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53264-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001153Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.479{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9EA-6113-E002-00000000E401}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001152Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001151Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001150Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001149Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D9EA-6113-DE02-00000000E401}46804760C:\Windows\system32\conhost.exe{856D1934-D9EA-6113-E002-00000000E401}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001148Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001147Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001146Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001145Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001144Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001143Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001142Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001141Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9EA-6113-E002-00000000E401}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001140Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001139Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001138Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D9EA-6113-DF02-00000000E401}922080C:\Windows\system32\cmd.exe{856D1934-D9EA-6113-E002-00000000E401}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001137Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.439{856D1934-D9EA-6113-E002-00000000E401}3412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9EA-6113-5699-0F0000000000}0xf99560HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9EA-6113-DF02-00000000E401}92C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000001136Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.432{856D1934-D9EA-6113-DE02-00000000E401}46804760C:\Windows\system32\conhost.exe{856D1934-D9EA-6113-DF02-00000000E401}92C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001135Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001134Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001133Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001132Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001131Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001130Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001129Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001128Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001127Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9EA-6113-DF02-00000000E401}92C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001126Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001125Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D9EA-6113-DD02-00000000E401}33164660C:\Windows\system32\WinrsHost.exe{856D1934-D9EA-6113-DF02-00000000E401}92C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000001124Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.427{856D1934-D9EA-6113-DF02-00000000E401}92C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9EA-6113-5699-0F0000000000}0xf99560HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-D9EA-6113-DD02-00000000E401}3316C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000001123Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001122Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001121Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.416{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001120Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.400{856D1934-D932-6113-1300-00000000E401}10521332C:\Windows\system32\svchost.exe{856D1934-D9EA-6113-DD02-00000000E401}3316C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000001119Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.385{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9EA-6113-DD02-00000000E401}3316C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001118Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.353{856D1934-D9EA-6113-DE02-00000000E401}46804760C:\Windows\system32\conhost.exe{856D1934-D9EA-6113-DD02-00000000E401}3316C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001117Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.353{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9EA-6113-DE02-00000000E401}4680C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001116Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001115Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001114Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001113Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001112Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001111Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001110Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001109Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.353{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9EA-6113-DD02-00000000E401}3316C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001108Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001107Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.353{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001106Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.353{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9EA-6113-DD02-00000000E401}3316C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001105Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.354{856D1934-D9EA-6113-DD02-00000000E401}3316C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-D9EA-6113-5699-0F0000000000}0xf99560HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001104Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.338{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001103Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.338{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001102Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.338{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001181Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:43.874{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001180Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:43.858{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001179Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:43.858{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001178Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:43.858{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001177Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:41.740{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53268-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001176Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:41.740{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53268-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001175Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:41.736{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53267-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001174Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:41.736{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53267-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001173Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:41.732{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53266-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001172Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:41.732{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53266-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001171Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:41.728{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53265-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001170Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:41.728{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53265-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001194Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:44.909{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001193Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:44.893{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001192Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:44.893{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001191Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:44.893{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001190Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.765{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53272-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001189Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.765{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53272-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001188Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.758{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53271-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001187Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.758{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53271-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001186Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.750{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53270-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001185Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.750{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53270-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001184Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.745{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53269-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001183Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.745{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53269-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001182Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:42.221{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.91.53ppp-93-104-91-53.dynamic.mnet-online.de53875-false10.0.1.14win-dc-837.attackrange.local5986- 10341000x80000000000000001210Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:45.959{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001209Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:45.943{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001208Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:45.928{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001207Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:45.928{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001206Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:44.812{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53278-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001205Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:44.812{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53278-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001204Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:44.807{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53277-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001203Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:44.807{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53277-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001202Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:43.789{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53276-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001201Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:43.789{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53276-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001200Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:43.784{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53275-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001199Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:43.784{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53275-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001198Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:43.779{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53274-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001197Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:43.779{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53274-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001196Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:43.776{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53273-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001195Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:43.776{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53273-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001222Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:46.994{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001221Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:46.978{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001220Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:46.978{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001219Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:46.978{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001218Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:45.845{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53282-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001217Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:45.845{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53282-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001216Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:45.839{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53281-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001215Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:45.839{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53281-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001214Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:44.822{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53280-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001213Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:44.821{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53280-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001212Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:44.815{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53279-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001211Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:44.815{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53279-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001246Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:46.894{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53287-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001245Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:46.894{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53287-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001244Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:46.890{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53286-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001243Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:46.890{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53286-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001242Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:46.885{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53285-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001241Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:46.885{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53285-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000001240Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.951{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45C5106754A94EADE29012077EC96E8E,SHA256=676C33059B70E688D9BD932B3FAA6181D09F4067DC5501C70162F6A8EBEA3A75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001239Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.934{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-D9EF-6113-E102-00000000E401}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001238Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.934{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001237Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.934{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001236Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.934{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001235Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.934{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001234Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.934{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001233Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.934{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001232Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.934{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001231Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.934{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9EF-6113-E102-00000000E401}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001230Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.934{856D1934-D9AB-6113-CE01-00000000E401}15323820C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-D9EF-6113-E102-00000000E401}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001229Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.934{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001228Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.934{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001227Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.733{856D1934-D9EF-6113-E102-00000000E401}5084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001226Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:45.866{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53284-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001225Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:45.866{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53284-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001224Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:45.854{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53283-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001223Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:45.854{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53283-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001252Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:46.898{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53288-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001251Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:46.898{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53288-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001250Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:48.122{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001249Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:48.091{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001248Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:48.075{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001247Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:48.028{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001278Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:48.024{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53292-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001277Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:48.024{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53292-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001276Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:48.002{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53291-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001275Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:48.002{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53291-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001274Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.298{856D1934-D9F0-6113-E202-00000000E401}50724188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001273Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.977{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53290-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001272Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.977{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53290-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001271Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.935{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53289-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001270Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:47.935{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53289-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001269Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.172{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001268Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.159{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001267Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.159{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001266Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.141{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001265Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.094{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-D9F0-6113-E202-00000000E401}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001264Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.094{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001263Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.094{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001262Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.094{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001261Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.094{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001260Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.094{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001259Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.094{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001258Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.094{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001257Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.094{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001256Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.094{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9F0-6113-E202-00000000E401}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001255Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.094{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001254Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.094{856D1934-D9AB-6113-CE01-00000000E401}15323820C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-D9F0-6113-E202-00000000E401}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001253Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:48.971{856D1934-D9F0-6113-E202-00000000E401}5072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001305Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.076{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53297-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001304Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.076{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53297-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001303Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.069{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53296-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001302Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.069{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53296-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001301Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.060{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53295-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001300Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.060{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53295-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001299Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.047{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53294-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001298Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:49.047{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53294-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001297Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:48.178{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53293-false93.184.220.29-80http 23542300x80000000000000001296Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.505{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=618BD5500221A0632D34A7EF4AAFC3E6,SHA256=8CCCCEEBDE867B338C2266259723AE31F51D7891B1FA9A6A2AACD33E5BF6FB26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001295Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.395{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-D9F2-6113-E302-00000000E401}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001294Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.395{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001293Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.395{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001292Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.395{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001291Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.395{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001290Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.395{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001289Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.395{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001288Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.395{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001287Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.395{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001286Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.395{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001285Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.395{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9F2-6113-E302-00000000E401}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001284Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.395{856D1934-D9AB-6113-CE01-00000000E401}15323820C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-D9F2-6113-E302-00000000E401}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001283Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.099{856D1934-D9F2-6113-E302-00000000E401}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001282Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.207{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001281Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.207{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001280Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.191{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001279Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.191{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001390Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.832{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9F3-6113-E802-00000000E401}2976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001389Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.832{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D9F3-6113-E802-00000000E401}2976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001388Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:08:51.816{856D1934-D9F3-6113-E802-00000000E401}2976\PSHost.132731645317290543.2976.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001387Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.801{856D1934-D9F3-6113-E802-00000000E401}2976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vrhk1fsx.bou.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001386Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.801{856D1934-D9F3-6113-E802-00000000E401}2976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nzl1gfth.iw2.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001385Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.785{856D1934-D9F3-6113-E802-00000000E401}2976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nzl1gfth.iw2.ps12021-08-11 14:08:51.785 10341000x80000000000000001384Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.769{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9F3-6113-E802-00000000E401}2976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001383Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001382Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001381Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001380Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D9F3-6113-E602-00000000E401}42003928C:\Windows\system32\conhost.exe{856D1934-D9F3-6113-E802-00000000E401}2976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001379Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001378Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001377Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001376Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001375Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001374Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001373Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001372Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001371Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001370Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9F3-6113-E802-00000000E401}2976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001369Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D9F3-6113-E702-00000000E401}51083416C:\Windows\system32\cmd.exe{856D1934-D9F3-6113-E802-00000000E401}2976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001368Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.729{856D1934-D9F3-6113-E802-00000000E401}2976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9F3-6113-E8E9-0F0000000000}0xfe9e80HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-D9F3-6113-E702-00000000E401}5108C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000001367Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.722{856D1934-D9F3-6113-E602-00000000E401}42003928C:\Windows\system32\conhost.exe{856D1934-D9F3-6113-E702-00000000E401}5108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001366Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.706{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001365Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.706{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001364Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.706{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9F3-6113-E702-00000000E401}5108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001363Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.706{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001362Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.706{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001361Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.706{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001360Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.706{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001359Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.706{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001358Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.706{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001357Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.706{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001356Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.706{856D1934-D9F3-6113-E502-00000000E401}3872380C:\Windows\system32\WinrsHost.exe{856D1934-D9F3-6113-E702-00000000E401}5108C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000001355Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.710{856D1934-D9F3-6113-E702-00000000E401}5108C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-D9F3-6113-E8E9-0F0000000000}0xfe9e80HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-D9F3-6113-E502-00000000E401}3872C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000001354Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.706{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001353Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.706{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001352Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.691{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001351Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.691{856D1934-D932-6113-1300-00000000E401}10521332C:\Windows\system32\svchost.exe{856D1934-D9F3-6113-E502-00000000E401}3872C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000001350Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.675{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9F3-6113-E502-00000000E401}3872C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001349Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.659{856D1934-D9F3-6113-E602-00000000E401}42003928C:\Windows\system32\conhost.exe{856D1934-D9F3-6113-E502-00000000E401}3872C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001348Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9F3-6113-E602-00000000E401}4200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001347Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001346Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001345Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001344Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001343Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001342Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001341Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001340Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001339Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001338Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9F3-6113-E502-00000000E401}3872C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001337Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9F3-6113-E502-00000000E401}3872C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001336Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.648{856D1934-D9F3-6113-E502-00000000E401}3872C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-D9F3-6113-E8E9-0F0000000000}0xfe9e80HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001335Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001334Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001333Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.644{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001332Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.111{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53301-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001331Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.111{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53301-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001330Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.104{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53300-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001329Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.104{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53300-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001328Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.099{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53299-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001327Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.098{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53299-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001326Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.090{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53298-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001325Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:50.090{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53298-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001324Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.612{856D1934-D9F3-6113-E402-00000000E401}49685032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001323Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.424{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-D9F3-6113-E402-00000000E401}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001322Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.409{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001321Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.409{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001320Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.409{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001319Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.409{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001318Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.409{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001317Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.409{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001316Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.409{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001315Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.409{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001314Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.409{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001313Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.409{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-D9F3-6113-E402-00000000E401}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001312Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.409{856D1934-D9AB-6113-CE01-00000000E401}15323820C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-D9F3-6113-E402-00000000E401}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001311Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.288{856D1934-D9F3-6113-E402-00000000E401}4968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001310Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.283{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F8B0550E89B5147A1CBD9520DE69A1F,SHA256=CD02151428A81B82D64527BCE51B5666E35F2CC771AD61441504AC945F92495B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001309Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.236{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001308Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.236{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001307Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.236{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001306Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.236{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001435Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.913{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A84535208D74835C4325848060EED5BE,SHA256=D3F7741AF58EC41F4BE6D383F6F9E86A5A6CCCEEB55575D90C8F475894901C31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001434Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.913{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-D9F4-6113-EA02-00000000E401}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001433Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.898{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001432Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.898{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001431Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.898{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001430Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.898{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001429Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.898{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001428Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.898{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001427Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.898{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.898{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.898{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.898{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9F4-6113-EA02-00000000E401}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.898{856D1934-D9AB-6113-CE01-00000000E401}15323820C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-D9F4-6113-EA02-00000000E401}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.774{856D1934-D9F4-6113-EA02-00000000E401}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001421Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.479{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.91.53ppp-93-104-91-53.dynamic.mnet-online.de53877-false10.0.1.14win-dc-837.attackrange.local5986- 354300x80000000000000001420Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.141{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53305-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001419Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.141{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53305-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001418Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.137{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53304-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001417Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.137{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53304-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001416Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.133{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53303-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001415Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.133{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53303-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001414Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.129{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53302-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001413Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:51.129{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53302-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001412Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.286{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001411Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.271{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001410Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.271{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001409Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.271{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001408Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.192{856D1934-D9F4-6113-E902-00000000E401}39524744C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001407Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.098{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001406Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.098{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001405Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.098{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001404Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.036{856D1934-D9F3-6113-E802-00000000E401}2976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001403Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.020{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-D9F4-6113-E902-00000000E401}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001402Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.020{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001401Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.020{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001400Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.020{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001399Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.020{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001398Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.020{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001397Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.020{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001396Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.020{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001395Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.020{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001394Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.020{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001393Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.020{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-D9F4-6113-E902-00000000E401}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001392Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.020{856D1934-D9AB-6113-CE01-00000000E401}15323820C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-D9F4-6113-E902-00000000E401}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001391Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.022{856D1934-D9F4-6113-E902-00000000E401}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001462Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.650{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D923B06242BA4B31E6C943551682B68C,SHA256=29B3BCBF841288546E9CDC757FC5DD2891561BD345628F800D056181AE72947C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001461Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.650{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-D9F5-6113-EB02-00000000E401}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001460Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.650{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001459Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.650{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001458Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.650{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001457Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.650{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001456Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.650{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001455Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.650{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001454Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.650{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001453Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.650{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001452Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.650{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001451Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.650{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-D9F5-6113-EB02-00000000E401}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001450Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.650{856D1934-D9AB-6113-CE01-00000000E401}15323820C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-D9F5-6113-EB02-00000000E401}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001449Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.510{856D1934-D9F5-6113-EB02-00000000E401}1264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001448Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.181{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53309-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001447Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.181{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53309-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001446Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.172{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53308-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001445Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.172{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53308-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001444Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.168{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53307-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001443Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.168{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53307-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001442Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.161{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53306-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001441Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:52.161{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53306-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001440Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.305{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001439Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.305{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001438Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.305{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001437Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.305{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001436Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.070{856D1934-D9F4-6113-EA02-00000000E401}47564568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001476Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.888{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35B11469F92CAF43E8AAE35288BC5ED2,SHA256=41004AF5564AE0D36936E66ED4415EBBF21219C8435B3A71BC456BAD4DCE86D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001475Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.205{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53313-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001474Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.205{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53313-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001473Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.201{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53312-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001472Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.201{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53312-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001471Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.196{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53311-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001470Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.196{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53311-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001469Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.192{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53310-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001468Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:53.192{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53310-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001467Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.355{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001466Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.355{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001465Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.340{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001464Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.340{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001463Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.214{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E4CB2A3E2F034B72127754D3F21C4344,SHA256=231AF70C617EF578B32D9176F51D63E191BF958D79FF061DACA15ACD8AFA3BB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001488Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.245{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53317-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001487Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.245{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53317-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001486Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.240{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53316-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001485Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.240{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53316-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001484Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.235{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53315-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001483Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.235{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53315-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001482Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.225{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53314-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001481Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:54.225{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53314-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001480Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:55.374{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001479Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:55.374{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001478Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:55.374{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001477Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:55.374{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001500Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:55.267{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53321-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001499Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:55.267{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53321-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001498Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:55.262{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53320-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001497Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:55.262{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53320-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001496Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:55.258{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53319-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001495Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:55.258{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53319-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001494Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:55.254{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53318-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001493Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:55.254{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53318-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001492Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:56.424{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001491Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:56.408{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001490Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:56.408{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001489Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:56.408{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001513Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:56.302{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53325-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001512Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:56.302{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53325-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001511Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:56.297{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53324-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001510Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:56.297{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53324-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001509Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:56.290{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53323-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001508Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:56.290{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53323-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001507Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:56.286{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53322-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001506Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:56.286{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53322-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001505Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:57.458{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001504Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:57.443{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001503Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:57.443{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001502Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:57.443{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001501Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:57.129{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C328E15C96B569447A67D24D1BFC0C39,SHA256=07C472D5C2B1B99FBF4D9B4FF869517265C09A7E001EFD49CDA433A4CE327011,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001526Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:57.332{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53329-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001525Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:57.332{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53329-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001524Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:57.327{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53328-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001523Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:57.327{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53328-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001522Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:57.321{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53327-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001521Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:57.321{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53327-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001520Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:57.317{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53326-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001519Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:57.317{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53326-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000001518Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:58.503{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2C1828D7322A91366F1EC86BEE07904,SHA256=4DE169FB26287CB82A25794696A3CB55F9CAAB1D0F600F4D4FC2AEB2BEF72DE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:58.503{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001516Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:58.488{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001515Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:58.488{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001514Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:58.488{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001539Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.535{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001538Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.535{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001537Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.535{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001536Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.535{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001535Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.520{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001534Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.520{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001533Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:58.370{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53332-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001532Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:58.370{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53332-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001531Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:58.366{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53331-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001530Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:58.366{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53331-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001529Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:58.359{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53330-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001528Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:58.359{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53330-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000001527Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.065{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E952766EA9056622CF200CBA5ACB7259,SHA256=CEE511281EACC98966FBEC44D20FD82E7ADEEA6BBC3806583772BB4F53B3A49D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001554Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.408{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53337-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001553Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.408{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53337-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000001552Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:00.588{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7813AABCEDAB896B37879269F1F204B4,SHA256=2E5DA404125A504B88F3F3F38F50036467BDD04852E7075940453A96ECBFBA60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001551Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:00.573{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001550Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:00.557{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001549Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:00.557{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001548Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:00.557{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001547Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.401{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53336-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001546Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.401{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53336-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001545Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.394{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53335-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001544Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.394{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53335-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001543Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.388{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53334-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001542Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.388{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53334-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001541Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:58.376{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53333-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001540Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:58.375{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53333-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001560Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:01.607{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001559Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:01.607{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001558Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:01.591{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001557Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:01.591{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001556Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.414{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53338-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001555Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:08:59.414{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53338-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001579Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:02.657{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001578Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:02.641{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001577Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:02.641{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001576Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:02.641{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001575Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:01.474{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53345-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001574Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:01.474{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53345-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001573Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:01.464{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53344-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001572Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:01.464{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53344-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001571Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:01.453{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53343-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001570Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:01.453{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53343-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000001569Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:02.359{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4BEC69EB5FC431622D66523E3E78FF0,SHA256=A347D8584764F980E471DA8356EA85D03A215321C5DD786F77AA748BE9CE601C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001568Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:00.435{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53342-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001567Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:00.435{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53342-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001566Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:00.431{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53341-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001565Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:00.431{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53341-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001564Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:00.426{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53340-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001563Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:00.426{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53340-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001562Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:00.422{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53339-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001561Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:00.422{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53339-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001592Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:03.691{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001591Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:03.691{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001590Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:02.511{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53349-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001589Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:02.511{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53349-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001588Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:02.506{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53348-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001587Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:02.505{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53348-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001586Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:02.500{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53347-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001585Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:02.500{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53347-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001584Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:03.675{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001583Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:03.675{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001582Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:01.478{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53346-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001581Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:01.478{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53346-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000001580Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:03.017{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E365597AC512E54BE729F7CB97DF2F9A,SHA256=5713435CDC3303BFCC65EF0B4FD746352A6F46AAB4A6F0B3A6E8009B5CB4855A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001655Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.976{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001654Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001653Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001652Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-DA00-6113-ED02-00000000E401}27122912C:\Windows\system32\conhost.exe{856D1934-DA00-6113-EF02-00000000E401}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001651Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001650Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001649Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001648Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001647Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001646Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001645Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001644Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001643Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001642Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA00-6113-EF02-00000000E401}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001641Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.960{856D1934-DA00-6113-EE02-00000000E401}49284300C:\Windows\system32\cmd.exe{856D1934-DA00-6113-EF02-00000000E401}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001640Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.962{856D1934-DA00-6113-EF02-00000000E401}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-DA00-6113-3A32-100000000000}0x10323a0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-DA00-6113-EE02-00000000E401}4928C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000001639Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-DA00-6113-ED02-00000000E401}27122912C:\Windows\system32\conhost.exe{856D1934-DA00-6113-EE02-00000000E401}4928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001638Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001637Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001636Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001635Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001634Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001633Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001632Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001631Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001630Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001629Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA00-6113-EE02-00000000E401}4928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001628Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-DA00-6113-EC02-00000000E401}23883772C:\Windows\system32\WinrsHost.exe{856D1934-DA00-6113-EE02-00000000E401}4928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000001627Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.955{856D1934-DA00-6113-EE02-00000000E401}4928C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-DA00-6113-3A32-100000000000}0x10323a0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA00-6113-EC02-00000000E401}2388C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000001626Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001625Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001624Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.944{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001623Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.929{856D1934-D932-6113-1300-00000000E401}10521332C:\Windows\system32\svchost.exe{856D1934-DA00-6113-EC02-00000000E401}2388C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000001622Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.913{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-DA00-6113-EC02-00000000E401}2388C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001621Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.897{856D1934-DA00-6113-ED02-00000000E401}27122912C:\Windows\system32\conhost.exe{856D1934-DA00-6113-EC02-00000000E401}2388C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001620Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA00-6113-ED02-00000000E401}2712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001619Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001618Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001617Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001616Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001615Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001614Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001613Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001612Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001611Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001610Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA00-6113-EC02-00000000E401}2388C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001609Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-DA00-6113-EC02-00000000E401}2388C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001608Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.886{856D1934-DA00-6113-EC02-00000000E401}2388C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-DA00-6113-3A32-100000000000}0x10323a0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001607Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001606Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001605Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.882{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001604Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:03.544{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53353-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001603Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:03.544{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53353-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001602Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:03.537{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53352-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001601Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:03.537{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53352-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001600Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:03.532{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53351-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001599Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:03.532{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53351-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001598Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.725{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001597Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.709{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001596Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.709{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001595Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.709{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001594Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:02.516{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53350-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001593Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:02.516{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53350-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001678Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.566{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53356-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001677Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.566{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53356-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001676Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.563{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53355-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001675Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.563{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53355-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001674Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.759{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001673Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.759{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001672Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.743{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001671Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.743{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001670Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.399{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001669Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.399{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001668Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.399{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001667Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.383{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1C368F1D2C03FC976167310E52432F5B,SHA256=93A12291A6C649C32A38EB74E53865D22DCBE9985F584F523E4AF773EA553B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001666Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.383{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A4061898132A28BB7E24A4CB4BB339F,SHA256=46FB6085C32A0F94AEE7FB3E6C9134F601BC5E12D51FCF5A4ACB8DED23EFA113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001665Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.305{856D1934-DA00-6113-EF02-00000000E401}4836ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001664Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:03.551{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53354-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001663Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:03.551{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53354-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001662Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.101{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-DA00-6113-EF02-00000000E401}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001661Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.101{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-DA00-6113-EF02-00000000E401}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001660Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:09:05.070{856D1934-DA00-6113-EF02-00000000E401}4836\PSHost.132731645449625949.4836.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001659Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.039{856D1934-DA00-6113-EF02-00000000E401}4836ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dzex3pkw.zhi.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001658Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.039{856D1934-DA00-6113-EF02-00000000E401}4836ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_grt3drhp.dqh.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001657Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.023{856D1934-DA00-6113-EF02-00000000E401}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_grt3drhp.dqh.ps12021-08-11 14:09:05.023 10341000x80000000000000001656Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.008{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-DA00-6113-EF02-00000000E401}4836C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001693Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.607{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53361-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001692Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.607{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53361-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001691Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.602{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53360-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001690Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.602{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53360-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001689Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.594{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53359-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001688Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.594{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53359-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001687Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:06.793{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001686Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:06.778{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001685Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:06.778{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001684Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:06.778{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001683Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.678{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.91.53ppp-93-104-91-53.dynamic.mnet-online.de53883-false10.0.1.14win-dc-837.attackrange.local5986- 354300x80000000000000001682Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.578{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53358-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001681Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.577{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53358-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001680Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.573{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53357-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001679Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:04.573{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53357-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001706Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:06.636{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53365-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001705Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:06.636{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53365-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001704Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:06.632{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53364-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001703Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:06.632{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53364-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001702Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:06.625{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53363-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001701Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:06.625{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53363-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001700Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:07.812{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001699Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:07.812{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001698Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:07.812{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001697Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:07.812{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001696Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.615{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53362-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001695Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:05.615{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53362-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000001694Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:07.326{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95DFA59E7E8D5855508803906B3797D5,SHA256=5106BE9048B185E0FC98F163CBBDC246B3D63A36BD79424B99993E593A3F5402,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001721Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:07.667{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53370-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001720Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:07.664{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53369-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001719Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:07.664{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53369-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001718Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:07.660{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53368-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001717Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:07.660{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53368-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001716Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:07.656{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53367-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001715Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:07.656{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53367-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001714Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.861{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001713Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.861{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001712Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.846{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001711Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.846{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001710Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.846{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001709Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:06.646{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53366-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001708Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:06.646{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53366-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000001707Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.047{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BBAC1661E3088A337EE0D7F608C062B,SHA256=C80176539611D4F633BEFE85DCE3449FE10F81DC3F830D2707B4FD9A5A8C634E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001734Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.705{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53374-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001733Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.705{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53374-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001732Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.699{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53373-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001731Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.699{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53373-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001730Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.691{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53372-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001729Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.691{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53372-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001728Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.688{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53371-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001727Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:08.687{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53371-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001726Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:09.896{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001725Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:09.880{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001724Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:09.880{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001723Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:09.880{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001722Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:07.668{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53370-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001739Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.923{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001738Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.923{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001737Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.914{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001736Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.914{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001735Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.334{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52EF34D9055AFB9088B31700C095652C,SHA256=19FDA0E40BFCC318C23CFC7836F52308370CDA2F6938B79C7BA9E356ED4BF382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001756Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.972{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001755Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.956{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001754Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.941{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001753Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.941{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001752Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.941{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001751Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.514{856D1934-D930-6113-0B00-00000000E401}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53379-true0:0:0:0:0:0:0:1win-dc-837.attackrange.local389ldap 354300x80000000000000001750Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.514{856D1934-D942-6113-2100-00000000E401}2476C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-837.attackrange.local53379-true0:0:0:0:0:0:0:1win-dc-837.attackrange.local389ldap 22542200x80000000000000001749Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.520{856D1934-D942-6113-2100-00000000E401}2476win-dc-837.attackrange.local0fe80::2c4f:6ce1:a648:a5dd;fe80::24a0:226f:f5ff:fef1;2001:0:2851:782c:24a0:226f:f5ff:fef1;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 354300x80000000000000001748Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:09.732{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53378-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001747Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:09.732{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53378-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001746Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:09.727{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53377-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001745Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:09.727{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53377-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001744Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:09.723{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53376-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001743Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:09.723{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53376-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001742Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:09.719{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53375-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001741Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:09.719{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53375-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000001740Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.017{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=325337BE89C4F84894DEC4371BE39A8B,SHA256=408AC3C87F5DB3193A713D58773AF49FB4F413FD22243B6200A2C2019B77BAA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001767Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.990{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001766Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.787{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DE0AE4CF38919D2750DE28B9BAD6D1CE,SHA256=E4C52B47CCFA667BA12DD4FD16222D0D8D09015C087A3DD68C26C740D99F06A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001765Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.787{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C319110C8F9242C9F57DC1D3B4DDE564,SHA256=667F336EE4003F56055C7DE91601487E0631EB8AF28DB7B5CF6710362E496591,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001764Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.762{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53383-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001763Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.762{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53383-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001762Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.759{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53382-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001761Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.759{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53382-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001760Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.754{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53381-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001759Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.754{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53381-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001758Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.750{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53380-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001757Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:10.750{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53380-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001782Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.807{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53388-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001781Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.807{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53388-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001780Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.788{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53387-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001779Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.788{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53387-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001778Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.784{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53386-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001777Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.784{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53386-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001776Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.779{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53385-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001775Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.779{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53385-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001774Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.775{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53384-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001773Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:11.775{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53384-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000001772Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:13.084{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5CDE174DEFCCEAE11D297292E359AED,SHA256=8EDC3318AFA2EBE0706E00BFD8127C139B4C8E32A7144E022D5838FF3146AA03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001771Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:13.006{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001770Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:13.006{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001769Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.990{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001768Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.990{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001796Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.842{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53393-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001795Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.842{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53393-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001794Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.836{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53392-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001793Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.836{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53392-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001792Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.833{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53391-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001791Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.833{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53391-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001790Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.827{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53390-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001789Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.827{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53390-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001788Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.821{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53389-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001787Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:12.821{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53389-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001786Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:14.040{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001785Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:14.024{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001784Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:14.024{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001783Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:14.024{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001809Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:13.866{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53397-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001808Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:13.866{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53397-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001807Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:13.862{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53396-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001806Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:13.862{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53396-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001805Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:13.857{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53395-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001804Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:13.857{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53395-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001803Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:13.853{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53394-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001802Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:13.852{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53394-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001801Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:15.074{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001800Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:15.074{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001799Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:15.058{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001798Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:15.058{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CA8EFD64A3920558C7AD69FB58F334D,SHA256=9258F6D1BB07F94C8226E83241CD10A7977D38824F5E37512B494E2F6DAB6FAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001797Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:15.058{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001822Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:14.903{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53401-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001821Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:14.903{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53401-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001820Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:14.898{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53400-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001819Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:14.898{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53400-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001818Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:14.892{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53399-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001817Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:14.892{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53399-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001816Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:14.884{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53398-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001815Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:14.884{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53398-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001814Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:16.123{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001813Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:16.123{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001812Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:16.108{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001811Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:16.092{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001810Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:16.076{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB85FE326B4B4CC8039BF07D04F7E303,SHA256=6F9BAB7A9416ED9071CF995158093B6476AA320D4B0293503E5C870331A5F11C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001894Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.909{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-DA0D-6113-F302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001893Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.909{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-DA0D-6113-F302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001892Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:09:17.878{856D1934-DA0D-6113-F302-00000000E401}4360\PSHost.132731645577483733.4360.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001891Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.862{856D1934-DA0D-6113-F302-00000000E401}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ynqkjx3x.uii.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001890Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.862{856D1934-DA0D-6113-F302-00000000E401}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nhcull2b.z4m.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001889Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.847{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=34BF6B9AE7E421B4A30B8F2F4C616894,SHA256=15BBE125B45AEC6B301C12C3C735FFAEBCA82047720E4917F706CE0B8B0AA88C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001888Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.831{856D1934-DA0D-6113-F302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nhcull2b.z4m.ps12021-08-11 14:09:17.831 10341000x80000000000000001887Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.816{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-DA0D-6113-F302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001886Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.753{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001885Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.753{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001884Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.753{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001883Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-DA0D-6113-F102-00000000E401}5084320C:\Windows\system32\conhost.exe{856D1934-DA0D-6113-F302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001882Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001881Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001880Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001879Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001878Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001877Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001876Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001875Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001874Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001873Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA0D-6113-F302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001872Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-DA0D-6113-F202-00000000E401}44325040C:\Windows\system32\cmd.exe{856D1934-DA0D-6113-F302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001871Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.748{856D1934-DA0D-6113-F302-00000000E401}4360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-DA0D-6113-0A68-100000000000}0x10680a0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-DA0D-6113-F202-00000000E401}4432C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000001870Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-DA0D-6113-F102-00000000E401}5084320C:\Windows\system32\conhost.exe{856D1934-DA0D-6113-F202-00000000E401}4432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001869Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001868Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001867Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001866Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001865Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001864Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001863Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001862Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA0D-6113-F202-00000000E401}4432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001861Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001860Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001859Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-DA0D-6113-F002-00000000E401}44204344C:\Windows\system32\WinrsHost.exe{856D1934-DA0D-6113-F202-00000000E401}4432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000001858Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.741{856D1934-DA0D-6113-F202-00000000E401}4432C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-DA0D-6113-0A68-100000000000}0x10680a0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA0D-6113-F002-00000000E401}4420C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000001857Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.737{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001856Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.721{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001855Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.721{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001854Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.706{856D1934-D932-6113-1300-00000000E401}10523876C:\Windows\system32\svchost.exe{856D1934-DA0D-6113-F002-00000000E401}4420C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000001853Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.706{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-DA0D-6113-F002-00000000E401}4420C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001852Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.674{856D1934-DA0D-6113-F102-00000000E401}5084320C:\Windows\system32\conhost.exe{856D1934-DA0D-6113-F002-00000000E401}4420C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001851Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.659{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA0D-6113-F102-00000000E401}5084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001850Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001849Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001848Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001847Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001846Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001845Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001844Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001843Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001842Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA0D-6113-F002-00000000E401}4420C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001841Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001840Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-DA0D-6113-F002-00000000E401}4420C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001839Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.640{856D1934-DA0D-6113-F002-00000000E401}4420C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-DA0D-6113-0A68-100000000000}0x10680a0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001838Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001837Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001836Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.627{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001835Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:15.951{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53405-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001834Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:15.951{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53405-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001833Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:15.941{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53404-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001832Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:15.941{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53404-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001831Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:15.930{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53403-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001830Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:15.930{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53403-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001829Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:15.917{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53402-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001828Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:15.917{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53402-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001827Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.173{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001826Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.157{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001825Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.157{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001824Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.157{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001823Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.110{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEA01B767021F54FC7DEB73E72EAE61E,SHA256=F5AC0E38B94B9B441C51CDF39AC39BFA287640D89E7F896971A55AE4CEF4F324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001913Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.724{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D52A08F4741C122AD19AD0CD2F1E4567,SHA256=150B49D431A5A831BBE9DE9F7399B96A27D799C858A2989A064C37AFD62EDBE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001912Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:17.402{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.91.53ppp-93-104-91-53.dynamic.mnet-online.de53885-false10.0.1.14win-dc-837.attackrange.local5986- 354300x80000000000000001911Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:16.998{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53409-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001910Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:16.998{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53409-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001909Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:16.989{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53408-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001908Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:16.989{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53408-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001907Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:16.983{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53407-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001906Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:16.983{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53407-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001905Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:16.978{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53406-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001904Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:16.978{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53406-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001903Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.207{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001902Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.191{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001901Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.191{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001900Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.191{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001899Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.176{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001898Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.176{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001897Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.160{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001896Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.160{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8A9FB00D333DA762E60275A0187D4CD,SHA256=7C8BE599B4B184343779A80A576AB531DF95B3AC49F28881FD9D743AA545BA0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001895Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.133{856D1934-DA0D-6113-F302-00000000E401}4360ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001927Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.022{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53413-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001926Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.022{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53413-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001925Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.018{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53412-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001924Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.018{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53412-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001923Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.014{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53411-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001922Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.014{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53411-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001921Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.009{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53410-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001920Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.009{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53410-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001919Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.241{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001918Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.225{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001917Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.225{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001916Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.225{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001915Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.194{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E43A95D3F675BC16959C85EE5F44D004,SHA256=E47DD5F7E8F1AFF1074B063F8BEFBE6B92E0C7648D5D1FF1F103EFB1BA838685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001914Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.178{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001943Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.055{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53418-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001942Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.055{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53418-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001941Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.048{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53417-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001940Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.048{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53417-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001939Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.044{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53416-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001938Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.044{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53416-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001937Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.040{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53415-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001936Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.040{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53415-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000001935Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:20.431{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE91C8307C81F4D8427ABD276315EF16,SHA256=C8DCA70951F5D5161DCE989A62782DDBC139128FAFAACE73A986A5E1923430BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001934Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:20.274{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001933Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:20.274{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 22542200x80000000000000001932Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:19.004{856D1934-D942-6113-2200-00000000E401}2532win-dc-837.attackrange.local0fe80::2c4f:6ce1:a648:a5dd;fe80::24a0:226f:f5ff:fef1;2001:0:2851:782c:24a0:226f:f5ff:fef1;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 10341000x80000000000000001931Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:20.259{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001930Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:20.259{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001929Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.999{856D1934-D930-6113-0B00-00000000E401}612C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53414-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local389ldap 354300x80000000000000001928Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:18.999{856D1934-D942-6113-2200-00000000E401}2532C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53414-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local389ldap 354300x80000000000000001955Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:20.090{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53422-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001954Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:20.090{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53422-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001953Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:20.083{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53421-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001952Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:20.083{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53421-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001951Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:20.076{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53420-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001950Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:20.076{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53420-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001949Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:20.071{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53419-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001948Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:20.071{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53419-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001947Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:21.308{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001946Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:21.293{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001945Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:21.293{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001944Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:21.293{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001968Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:22.373{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001967Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:22.358{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001966Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:22.343{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001965Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:21.115{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53426-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001964Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:21.115{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53426-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001963Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:21.110{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53425-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001962Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:21.110{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53425-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001961Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:21.106{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53424-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001960Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:21.106{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53424-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001959Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:21.102{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53423-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001958Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:21.102{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53423-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000001957Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:22.326{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AA2AB4E350068495F151BA4E0BD47D1,SHA256=E57A3F62D3A7B089021E0815D8D6633F1D31A1DAFFC788272A98F5BAD8CAA18E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001956Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:22.326{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001981Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:23.407{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF735A2FC1AA8AFF523784BD93899750,SHA256=E6F26CD49D65875B3C6A4F31DF776B405C317F524FC52FB6B80E3F699F552552,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001980Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:22.178{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53430-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001979Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:22.178{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53430-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001978Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:22.168{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53429-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001977Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:22.167{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53429-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001976Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:22.150{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53428-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001975Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:22.150{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53428-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001974Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:22.135{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53427-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001973Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:22.135{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53427-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001972Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:23.391{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001971Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:23.391{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001970Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:23.391{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001969Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:23.391{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001994Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:23.209{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53434-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001993Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:23.209{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53434-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001992Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:23.205{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53433-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001991Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:23.205{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53433-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000001990Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:24.472{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=274705E2D6308334F9F3A176D8706548,SHA256=C3A8AE880D6151F5498A5F9863962EA9BA89649E60211EF6663B6DD98E3A91B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001989Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:24.441{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001988Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:23.200{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53432-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001987Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:23.200{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53432-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001986Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:23.196{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53431-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001985Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:23.196{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53431-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001984Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:24.425{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001983Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:24.425{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001982Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:24.425{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002004Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:24.235{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53437-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002003Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:24.235{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53437-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002002Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:24.231{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53436-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002001Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:24.231{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53436-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002000Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:24.227{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53435-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000001999Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:24.227{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53435-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000001998Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:25.474{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001997Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:25.459{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001996Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:25.459{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001995Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:25.459{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002017Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:26.542{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17C50E4F78AE68BC0F4BEA0A16070C2E,SHA256=C899CE0BA86353627549383D698EDA160564640A364EABBFDCF93E76F5C39EE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002016Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:25.267{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53441-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002015Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:25.267{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53441-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002014Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:25.263{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53440-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002013Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:25.262{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53440-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002012Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:25.258{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53439-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002011Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:25.258{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53439-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002010Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:26.508{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002009Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:26.508{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002008Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:26.492{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002007Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:26.492{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002006Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:24.241{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53438-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002005Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:24.241{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53438-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002030Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:26.306{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53445-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002029Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:26.306{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53445-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002028Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:26.299{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53444-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002027Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:26.299{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53444-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002026Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:26.290{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53443-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002025Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:26.290{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53443-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002024Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:27.557{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002023Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:27.557{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89994FB2AD70EF7BE4B04DD454899E71,SHA256=09CAD98C7440764A3BFEDE47ECA96083988DDF2468125E71E68F4CD6B6353AFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002022Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:27.557{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002021Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:27.542{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002020Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:27.542{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002019Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:25.271{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53442-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002018Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:25.271{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53442-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002041Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:27.342{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53448-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002040Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:27.342{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53448-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002039Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:27.337{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53447-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002038Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:27.337{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53447-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002037Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:28.607{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002036Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:28.607{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002035Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:28.591{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002034Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:28.591{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002033Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:28.561{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0388E34A0E19C80E8D05B2149605E1F,SHA256=A00D48C151D66DD2B663370087AF49CB1C385424B0B018F8A4C0CDCD312283DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002032Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:26.316{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53446-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002031Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:26.316{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53446-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002056Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:28.396{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53453-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002055Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:28.396{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53453-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002054Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:28.388{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53452-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002053Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:28.388{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53452-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002052Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:28.384{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53451-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002051Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:28.384{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53451-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002050Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:29.640{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002049Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:29.640{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002048Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:29.625{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CE79CE642ECC988E309C434684B9054,SHA256=3DBC67FE5419D75B920913713F5040BF5F8A0AE8210A7E05756EDF48BBD95D5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002047Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:29.625{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002046Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:29.625{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002045Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:27.357{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53450-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002044Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:27.357{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53450-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002043Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:27.353{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53449-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002042Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:27.353{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53449-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 11241100x80000000000000002122Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.971{856D1934-DA1A-6113-F702-00000000E401}3760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gijdq003.fcl.ps12021-08-11 14:09:30.971 10341000x80000000000000002121Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.940{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-DA1A-6113-F702-00000000E401}3760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002120Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.893{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002119Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.893{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002118Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.893{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002117Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.893{856D1934-DA1A-6113-F502-00000000E401}4756500C:\Windows\system32\conhost.exe{856D1934-DA1A-6113-F702-00000000E401}3760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002116Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.893{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002115Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.893{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002114Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.893{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002113Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002112Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002111Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002110Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002109Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA1A-6113-F702-00000000E401}3760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002108Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002107Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002106Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-DA1A-6113-F602-00000000E401}46524396C:\Windows\system32\cmd.exe{856D1934-DA1A-6113-F702-00000000E401}3760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002105Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.891{856D1934-DA1A-6113-F702-00000000E401}3760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-DA1A-6113-259F-100000000000}0x109f250HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-DA1A-6113-F602-00000000E401}4652C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000002104Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-DA1A-6113-F502-00000000E401}4756500C:\Windows\system32\conhost.exe{856D1934-DA1A-6113-F602-00000000E401}4652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002103Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002102Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002101Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002100Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002099Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002098Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002097Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002096Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA1A-6113-F602-00000000E401}4652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002095Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002094Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002093Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.877{856D1934-DA1A-6113-F402-00000000E401}44923800C:\Windows\system32\WinrsHost.exe{856D1934-DA1A-6113-F602-00000000E401}4652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000002092Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.879{856D1934-DA1A-6113-F602-00000000E401}4652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-DA1A-6113-259F-100000000000}0x109f250HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA1A-6113-F402-00000000E401}4492C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002091Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.862{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002090Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.862{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002089Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.862{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002088Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.854{856D1934-D932-6113-1300-00000000E401}10523876C:\Windows\system32\svchost.exe{856D1934-DA1A-6113-F402-00000000E401}4492C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002087Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.830{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-DA1A-6113-F402-00000000E401}4492C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002086Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.816{856D1934-DA1A-6113-F502-00000000E401}4756500C:\Windows\system32\conhost.exe{856D1934-DA1A-6113-F402-00000000E401}4492C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002085Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.799{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA1A-6113-F502-00000000E401}4756C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002084Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002083Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002082Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002081Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002080Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002079Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002078Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002077Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002076Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002075Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA1A-6113-F402-00000000E401}4492C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002074Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-DA1A-6113-F402-00000000E401}4492C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002073Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.793{856D1934-DA1A-6113-F402-00000000E401}4492C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-DA1A-6113-259F-100000000000}0x109f250HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002072Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002071Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002070Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.783{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002069Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:29.430{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53457-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002068Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:29.430{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53457-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002067Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:29.419{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53456-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002066Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:29.419{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53456-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002065Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:29.415{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53455-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002064Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:29.415{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53455-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002063Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:28.405{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53454-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002062Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:28.405{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53454-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002061Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.676{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002060Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.658{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002059Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.658{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002058Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.658{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AEEF321ABE77B7FA5A40163D0DE4098,SHA256=B64FE28C3331B9D38E6FA87982CC9D4E41D285721356087D6E1B4563A4F40FB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002057Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.658{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002139Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.949{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D0CD874AB34ADF902059FF5ADC7E7AFD,SHA256=FD0AAF312D5F495A4FA61567B247BAB6DAEEB142127EC7FDD5C922B74F2273EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002138Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:29.435{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53458-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002137Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:29.435{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53458-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002136Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.714{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002135Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.698{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002134Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.698{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A42A2B518BEAF36F9B1956755617EEDD,SHA256=FF48C92FE00F1A9298585DE418891804E31E2FF4D60C5D81D63F9363C01C6F57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002133Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.682{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002132Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.682{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002131Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.432{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002130Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.432{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002129Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.432{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002128Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.369{856D1934-DA1A-6113-F702-00000000E401}3760ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002127Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.103{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-DA1A-6113-F702-00000000E401}3760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002126Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.103{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-DA1A-6113-F702-00000000E401}3760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000002125Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:09:31.057{856D1934-DA1A-6113-F702-00000000E401}3760\PSHost.132731645708912955.3760.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002124Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.993{856D1934-DA1A-6113-F702-00000000E401}3760ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dwdyv2a0.jhf.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002123Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.993{856D1934-DA1A-6113-F702-00000000E401}3760ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gijdq003.fcl.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002150Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.457{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53461-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002149Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.457{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53461-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002148Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.451{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53460-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002147Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.451{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53460-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002146Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.446{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53459-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002145Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.446{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53459-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000002144Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:32.763{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C75E080AC99BAD6014FCB3AC387A8545,SHA256=E6D56BB20A736319F8B3380DD647562B9EFB4B6E54F3BA1D8CC9A1706BA904ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002143Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:32.747{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002142Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:32.732{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002141Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:32.732{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002140Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:32.732{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002176Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:32.527{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53468-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002175Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:32.527{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53468-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002174Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:32.520{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53467-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002173Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:32.520{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53467-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002172Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:32.515{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53466-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002171Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:32.515{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53466-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002170Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.501{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53465-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002169Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.501{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53465-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002168Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.489{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53464-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002167Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.489{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53464-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002166Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.474{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53463-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002165Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.474{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53463-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002164Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.468{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53462-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002163Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:31.468{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53462-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002162Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:30.507{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.91.53ppp-93-104-91-53.dynamic.mnet-online.de53894-false10.0.1.14win-dc-837.attackrange.local5986- 23542300x80000000000000002161Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.781{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=551EE2F13FF808BFA5DAEB30AC9DACED,SHA256=C7F2135C577C34753ACE0C82416EDB395FD72A8E9ACBB9AA928949A569FB13A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002160Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.781{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002159Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.765{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002158Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.765{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002157Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.765{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002156Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.687{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002155Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.687{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002154Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.687{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002153Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.687{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002152Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.687{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002151Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.687{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D92D-6113-0700-00000000E401}468C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002189Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.557{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53472-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002188Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.557{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53472-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002187Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.551{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53471-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002186Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.551{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53471-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002185Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.546{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53470-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002184Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.546{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53470-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002183Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:32.531{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53469-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002182Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:32.531{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53469-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000002181Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.830{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6951A7D6607A7ABA06B52DDCE26B282,SHA256=B7D4A13ABCC452CFFBEF09D61B0CDF1AA732102F61C7727EDB870D7B26268B04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002180Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.814{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002179Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.799{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002178Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.799{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002177Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.799{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002205Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.592{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53478-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002204Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.592{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53478-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002203Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.587{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53477-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002202Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.587{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53477-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002201Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.583{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53476-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002200Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.583{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53476-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002199Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.578{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53475-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002198Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.577{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53475-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002197Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:34.060{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53474-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000002196Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.565{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53473-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002195Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:33.565{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53473-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002194Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.863{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002193Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.863{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002192Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.848{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002191Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.848{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002190Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.832{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002210Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:36.935{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1316E3D07487540A893866B6BB646BDB,SHA256=1B3A2DEC17F294116F08B2BB573DA6EC10D77FB9C6003115F3B7A4216C996042,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002209Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:36.897{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002208Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:36.881{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002207Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:36.881{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002206Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:36.881{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002219Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:37.915{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002218Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:37.915{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002217Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:37.915{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002216Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:37.915{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA8A0B32A9240DDDF72DD200FBDBE742,SHA256=84EC2CF91D3AE359DDA6669F985EB1876A3A743D3F16E4545F917FDCCC473E93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002215Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:37.915{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002214Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.620{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53480-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002213Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.620{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53480-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002212Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.611{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53479-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002211Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.611{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53479-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002239Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:38.964{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002238Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:38.948{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002237Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:38.948{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002236Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:38.948{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002235Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:38.932{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB35086CA8B007672E7CB10C4B16C5FE,SHA256=218307BF764316D25105187A9BF0628C646DA1C249506208F3264D6DA917D015,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002234Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:36.676{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53487-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002233Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:36.676{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53487-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002232Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:36.664{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53486-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002231Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:36.664{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53486-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002230Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:36.660{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53485-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002229Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:36.660{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53485-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002228Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:36.655{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53484-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002227Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:36.655{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53484-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 13241300x80000000000000002226Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-SetValue2021-08-11 14:09:38.698{856D1934-D932-6113-1100-00000000E401}464C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d78eba-0x859610db) 354300x80000000000000002225Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.650{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53483-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002224Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.650{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53483-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002223Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.642{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53482-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002222Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.642{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53482-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002221Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.628{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53481-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002220Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:35.628{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53481-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002265Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.981{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002264Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.981{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002263Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.981{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002262Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.981{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002261Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.966{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B97DA9749E914966254639AD3BAA95BC,SHA256=8E1D01E28EF24B4A92C07DBEBF6F70EBB43CFEE9F227550F0FC9629B53BAF0FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002260Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.856{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-DA23-6113-F802-00000000E401}628\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002259Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.840{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002258Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.840{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002257Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.840{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002256Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.840{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002255Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.840{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002254Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.840{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002253Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.840{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA23-6113-F802-00000000E401}628\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002252Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.840{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002251Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.840{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002250Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.840{856D1934-D932-6113-1600-00000000E401}13001956C:\Windows\System32\svchost.exe{856D1934-DA23-6113-F802-00000000E401}628\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\wbem\wmisvc.dll+2624|c:\windows\system32\wbem\wmisvc.dll+2491|C:\Windows\SYSTEM32\ntdll.dll+7de1d|C:\Windows\SYSTEM32\ntdll.dll+3a969|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002249Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.840{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002248Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.668{856D1934-D932-6113-1000-00000000E401}388NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CF66C7F9E228DFD7D5A251F0169454A7,SHA256=EF737786899BAFB7B36BD2CF6732F8F2DABA629F72472025226A3B95BCBE5B57,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002247Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:37.699{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53491-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002246Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:37.699{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53491-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002245Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:37.695{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53490-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002244Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:37.695{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53490-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002243Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:37.690{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53489-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002242Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:37.690{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53489-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002241Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:37.686{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53488-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002240Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:37.686{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53488-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002269Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:38.724{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53493-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002268Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:38.724{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53493-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002267Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:38.718{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53492-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002266Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:38.718{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53492-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002286Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.760{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53499-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002285Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.760{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53499-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002284Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.756{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53498-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002283Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.756{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53498-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002282Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.753{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53497-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002281Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.753{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53497-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002280Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.749{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53496-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002279Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:39.749{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53496-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002278Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:38.733{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53495-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002277Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:38.733{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53495-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002276Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:38.729{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53494-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002275Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:38.729{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53494-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002274Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:41.029{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002273Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:41.014{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002272Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:41.014{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002271Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:41.014{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002270Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:40.998{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F044EA8554534769F670B4E1B611C84,SHA256=A9736A02D1641A3FFA015962A2CF2B4A7C025685A368EA44A1D537D574A49156,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002299Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:40.799{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53503-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002298Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:40.799{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53503-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002297Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:40.793{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53502-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002296Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:40.793{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53502-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002295Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:40.786{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53501-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002294Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:40.786{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53501-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002293Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:40.781{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53500-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002292Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:40.781{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53500-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000002291Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:42.062{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAA3873E9C8DAE631D63C2F2C3DE271C,SHA256=B129724CE3C943F2EA099B0E7C375CC0E94390B9FCE6E9BB168649187A525FC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002290Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:42.062{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002289Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:42.046{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002288Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:42.046{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002287Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:42.046{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002368Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.986{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-DA27-6113-FC02-00000000E401}1964C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002367Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.986{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-DA27-6113-FC02-00000000E401}1964C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000002366Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:09:43.954{856D1934-DA27-6113-FC02-00000000E401}1964\PSHost.132731645838201640.1964.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000002365Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.939{856D1934-DA27-6113-FC02-00000000E401}1964ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lig5g1ve.cmy.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000002364Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.939{856D1934-DA27-6113-FC02-00000000E401}1964ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_21ollefw.yn4.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002363Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.923{856D1934-DA27-6113-FC02-00000000E401}1964C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_21ollefw.yn4.ps12021-08-11 14:09:43.923 10341000x80000000000000002362Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.860{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-DA27-6113-FC02-00000000E401}1964C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002361Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.829{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002360Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.829{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002359Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002358Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-DA27-6113-FA02-00000000E401}43284828C:\Windows\system32\conhost.exe{856D1934-DA27-6113-FC02-00000000E401}1964C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002357Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002356Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002355Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002354Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002353Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002352Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002351Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002350Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002349Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002348Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA27-6113-FC02-00000000E401}1964C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002347Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-DA27-6113-FB02-00000000E401}46161340C:\Windows\system32\cmd.exe{856D1934-DA27-6113-FC02-00000000E401}1964C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002346Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.820{856D1934-DA27-6113-FC02-00000000E401}1964C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-DA27-6113-DADA-100000000000}0x10dada0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-DA27-6113-FB02-00000000E401}4616C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000002345Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-DA27-6113-FA02-00000000E401}43284828C:\Windows\system32\conhost.exe{856D1934-DA27-6113-FB02-00000000E401}4616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002344Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002343Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002342Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002341Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002340Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002339Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002338Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002337Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002336Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA27-6113-FB02-00000000E401}4616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002335Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.814{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002334Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.798{856D1934-DA27-6113-F902-00000000E401}50202516C:\Windows\system32\WinrsHost.exe{856D1934-DA27-6113-FB02-00000000E401}4616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000002333Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.813{856D1934-DA27-6113-FB02-00000000E401}4616C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-DA27-6113-DADA-100000000000}0x10dada0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA27-6113-F902-00000000E401}5020C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002332Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.798{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002331Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.798{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002330Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.798{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002329Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.782{856D1934-D932-6113-1300-00000000E401}10521332C:\Windows\system32\svchost.exe{856D1934-DA27-6113-F902-00000000E401}5020C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002328Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.782{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-DA27-6113-F902-00000000E401}5020C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002327Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.751{856D1934-DA27-6113-FA02-00000000E401}43284828C:\Windows\system32\conhost.exe{856D1934-DA27-6113-F902-00000000E401}5020C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002326Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.751{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA27-6113-FA02-00000000E401}4328C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002325Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002324Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002323Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002322Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002321Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002320Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002319Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002318Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA27-6113-F902-00000000E401}5020C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002317Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002316Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002315Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-DA27-6113-F902-00000000E401}5020C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002314Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.742{856D1934-DA27-6113-F902-00000000E401}5020C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-DA27-6113-DADA-100000000000}0x10dada0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002313Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002312Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002311Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.735{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002310Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:41.820{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53506-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002309Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:41.820{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53506-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002308Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:41.816{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53505-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002307Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:41.815{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53505-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002306Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:41.812{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53504-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002305Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:41.811{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53504-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002304Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.094{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002303Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.078{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002302Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.078{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002301Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.078{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48539D247360285ACC870D430F652088,SHA256=9D00A75DD379449A4B3257B8ABB5C20F0BA1ADFE760A78A43676C17220C5578D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002300Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.078{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002387Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.752{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=11657F5797B00B2AE790BA0DA33F3990,SHA256=DD691B4BE18076800B1B28ACE7AEB17B27F1A0F5E348F511ADBD8FCBC0F0C14E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002386Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.362{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002385Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.345{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002384Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:42.859{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53511-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002383Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.345{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000002382Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.267{856D1934-DA27-6113-FC02-00000000E401}1964ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002381Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.158{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002380Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.142{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002379Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.142{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002378Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.111{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002377Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.095{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8C3577B95A22A5538C2D4621EB620CD,SHA256=5C8B117C43193CAF93EA65AA5074B501F46F97EBC949EE586D61F6AA6950C80C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000002376Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:42.855{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53510-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002375Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:42.855{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53510-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002374Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:42.850{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53509-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002373Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:42.850{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53509-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002372Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:42.844{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53508-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002371Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:42.844{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53508-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002370Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:41.826{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53507-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002369Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:41.826{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53507-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002400Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:45.190{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002399Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:45.190{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002398Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:45.174{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=118F7A3DE191B85C7A7BC9E7D1601D27,SHA256=DF5BD5C98EC877272D231EF180AA841E8364D6C3D2B7706E09091FEDB84184A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002397Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:45.174{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002396Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:45.174{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002395Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.912{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53514-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002394Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.911{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53514-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002393Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.899{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53513-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002392Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.899{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53513-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002391Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.875{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53512-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002390Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.875{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53512-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002389Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.446{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.91.53ppp-93-104-91-53.dynamic.mnet-online.de53895-false10.0.1.14win-dc-837.attackrange.local5986- 354300x80000000000000002388Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:42.859{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53511-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002413Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:46.222{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002412Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.950{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53518-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002411Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.950{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53518-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002410Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.944{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53517-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002409Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.944{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53517-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002408Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.937{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53516-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002407Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.937{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53516-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002406Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.924{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53515-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002405Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:43.924{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53515-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002404Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:46.207{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002403Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:46.207{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002402Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:46.207{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E96B8A946B5904C7838F890CE691E5B,SHA256=FF0E25EE755B3A51C69C8FCEB5DE8287E534422E714C5032FED223A0AA4A907A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002401Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:46.207{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002439Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.880{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA2B-6113-FD02-00000000E401}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002438Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.880{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002437Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.880{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002436Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.880{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002435Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.880{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002434Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.880{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA2B-6113-FD02-00000000E401}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002433Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.880{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002432Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.880{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002431Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.880{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002430Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.880{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002429Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.880{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002428Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.880{856D1934-D9AB-6113-CE01-00000000E401}15323820C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-DA2B-6113-FD02-00000000E401}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002427Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.881{856D1934-DA2B-6113-FD02-00000000E401}4716C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002426Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.270{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002425Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:45.979{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53522-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002424Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:45.979{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53522-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002423Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:45.974{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53521-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002422Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:45.974{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53521-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002421Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:45.969{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53520-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002420Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:45.969{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53520-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002419Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.956{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53519-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002418Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:44.956{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53519-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002417Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.255{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002416Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.255{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002415Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.239{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002414Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.224{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=514BF9C1DCA9C1938E2DEB96DFF8DCFA,SHA256=13FAB0BCEE2B26CD65938BF545C695EF403B8FE53EBC41B3E4618A769BF828D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002450Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:48.318{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002449Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:48.318{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002448Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.011{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53525-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002447Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.011{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53525-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002446Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.000{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53524-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002445Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.000{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53524-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002444Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:45.984{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53523-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002443Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:45.984{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53523-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002442Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:48.303{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002441Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:48.303{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002440Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:48.256{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4E4ECF0360DCD4AD00D773067E818F7,SHA256=D980768259E360BDE36CA82C4398743AF5801C89363BFDB5496295E90A1A7DA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002484Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.632{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA2D-6113-FF02-00000000E401}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002483Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.632{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002482Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.632{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002481Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.632{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002480Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.632{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002479Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.632{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002478Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.632{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002477Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.632{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA2D-6113-FF02-00000000E401}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002476Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.632{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002475Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.632{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002474Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.632{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002473Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.632{856D1934-D9AB-6113-CE01-00000000E401}15323820C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-DA2D-6113-FF02-00000000E401}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002472Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.633{856D1934-DA2D-6113-FF02-00000000E401}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002471Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.382{856D1934-DA2D-6113-FE02-00000000E401}45364764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002470Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.351{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002469Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.351{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002468Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.022{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53526-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002467Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.022{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53526-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002466Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.335{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002465Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.335{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAC96418D5CABD53F778A4AFE9CA44FA,SHA256=6383AE3892C75B6C3906BC6B920DFCE0A7E5DBDF9E28D5182CE8958B439855A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002464Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.335{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002463Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.132{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA2D-6113-FE02-00000000E401}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002462Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.132{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002461Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.132{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002460Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.132{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002459Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.132{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA2D-6113-FE02-00000000E401}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002458Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.132{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002457Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.132{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002456Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.132{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002455Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.132{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002454Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.132{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002453Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.132{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002452Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.132{856D1934-D9AB-6113-CE01-00000000E401}15323820C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-DA2D-6113-FE02-00000000E401}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002451Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.133{856D1934-DA2D-6113-FE02-00000000E401}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000002515Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.915{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\README.txt2021-08-11 14:09:50.915 11241100x80000000000000002514Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.915{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\LICENSE.txt2021-08-11 14:09:50.915 10341000x80000000000000002513Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.634{856D1934-DA2E-6113-0003-00000000E401}47723260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002512Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.446{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA2E-6113-0003-00000000E401}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002511Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.446{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002510Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.446{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002509Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.446{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002508Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.446{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002507Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.446{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002506Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.446{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002505Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.446{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002504Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.446{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002503Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.446{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002502Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.446{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA2E-6113-0003-00000000E401}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002501Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.446{856D1934-D9AB-6113-CE01-00000000E401}15323820C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-DA2E-6113-0003-00000000E401}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002500Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.447{856D1934-DA2E-6113-0003-00000000E401}4772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000002499Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:48.083{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53531-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002498Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:48.083{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53531-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002497Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:48.075{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53530-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002496Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:48.075{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53530-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002495Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:48.069{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53529-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002494Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:48.069{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53529-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002493Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:48.062{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53528-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002492Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:48.062{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53528-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002491Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.032{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53527-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002490Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:47.032{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53527-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002489Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.383{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002488Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.383{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002487Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.368{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002486Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.368{856D1934-D930-6113-0B00-00000000E401}612664C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000002485Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.352{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=394AC537360A9861884772BE71493CE7,SHA256=461B6CE9C42EA68FA06A59E3B0FB447E34CB7E41B940D04453A234A4B0F8ADAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002606Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.674{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA2F-6113-0503-00000000E401}1272C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002605Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.674{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002604Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.674{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002603Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.674{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002602Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.674{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002601Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.674{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002600Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.674{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002599Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.674{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002598Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.674{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002597Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.674{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA2F-6113-0503-00000000E401}1272C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002596Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.674{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002595Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.674{856D1934-DA2F-6113-0403-00000000E401}37684944C:\Windows\system32\cmd.exe{856D1934-DA2F-6113-0503-00000000E401}1272C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002594Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.679{856D1934-DA2F-6113-0503-00000000E401}1272C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{856D1934-DA2F-6113-0403-00000000E401}3768C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000002593Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.674{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA2F-6113-0403-00000000E401}3768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002592Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.659{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002591Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.659{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002590Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.659{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002589Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.659{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002588Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.659{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002587Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.659{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002586Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.659{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002585Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.659{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002584Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.659{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002583Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.659{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA2F-6113-0403-00000000E401}3768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002582Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.659{856D1934-DA2F-6113-0303-00000000E401}33204304C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{856D1934-DA2F-6113-0403-00000000E401}3768C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+146d6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002581Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.670{856D1934-DA2F-6113-0403-00000000E401}3768C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA2F-6113-0303-00000000E401}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=1532 10341000x80000000000000002580Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.643{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA2F-6113-0303-00000000E401}3320C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002579Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.643{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA2F-6113-0303-00000000E401}3320C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002578Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.643{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002577Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.643{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002576Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.643{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002575Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.643{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002574Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.643{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002573Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.643{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002572Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.643{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002571Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.643{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002570Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.643{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002569Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.643{856D1934-DA2F-6113-0203-00000000E401}49363708C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{856D1934-DA2F-6113-0303-00000000E401}3320C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d40f|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002568Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.651{856D1934-DA2F-6113-0303-00000000E401}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=1532C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{856D1934-DA2F-6113-0203-00000000E401}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk.exesplunk _relaunch restart --accept-license --answer-yes --no-prompt --waitonpid=1532 10341000x80000000000000002567Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.628{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA2F-6113-0203-00000000E401}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002566Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.628{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002565Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.628{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002564Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.628{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002563Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.628{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002562Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.628{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002561Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.628{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002560Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.628{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002559Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.628{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002558Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.628{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002557Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.628{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA2F-6113-0203-00000000E401}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002556Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.628{856D1934-D9AB-6113-CE01-00000000E401}15323576C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-DA2F-6113-0203-00000000E401}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+77c1aa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+b08def|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd792a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd534e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1a2a848|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002555Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.624{856D1934-DA2F-6113-0203-00000000E401}4936C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exesplunk _relaunch restart --accept-license --answer-yes --no-prompt --waitonpid=1532C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002554Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.612{856D1934-D9AB-6113-CE01-00000000E401}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\conf-mutator.pidMD5=6E1B3A712AEF009D420FF6D123439116,SHA256=B4721A916B3DE56F5FA195BD8F8D23DD2F73E90B09A8A64BF7657A6BA23ED5BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000002553Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:09:51.581{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\wpcap.dll2021-08-11 14:09:51.581 11241100x80000000000000002552Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:09:51.581{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\vcruntime140.dll2021-08-11 14:09:51.581 11241100x80000000000000002551Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:09:51.581{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\vccorlib140.dll2021-08-11 14:09:51.581 354300x80000000000000002550Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.119{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53535-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002549Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.119{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53535-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002548Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.113{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53534-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002547Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.113{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53534-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002546Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.102{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53533-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002545Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.102{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53533-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002544Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.094{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53532-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002543Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:49.094{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53532-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 11241100x80000000000000002542Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localEXE2021-08-11 14:09:51.424{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe2021-08-11 14:09:51.424 10341000x80000000000000002541Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.409{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x80000000000000002540Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:09:51.393{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmprotocols.dll2021-08-11 14:09:51.393 10341000x80000000000000002539Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.393{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002538Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.393{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x80000000000000002537Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:09:51.393{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmframework.dll2021-08-11 14:09:51.393 11241100x80000000000000002536Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:09:51.393{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\qmflow.dll2021-08-11 14:09:51.393 11241100x80000000000000002535Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.393{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sys2021-08-11 14:09:51.393 10341000x80000000000000002534Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.393{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 11241100x80000000000000002533Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:09:51.393{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\msvcp140.dll2021-08-11 14:09:51.393 11241100x80000000000000002532Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:09:51.393{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\concrt140.dll2021-08-11 14:09:51.393 11241100x80000000000000002531Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.localDLL2021-08-11 14:09:51.393{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\Packet.dll2021-08-11 14:09:51.393 23542300x80000000000000002530Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.377{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39A6EDE9F2B416B65DC7A94298117C77,SHA256=359AE7EA9F27702E6DD02F9F40D0E02F3CBDCB17E84A0D423840D07191DA71FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002529Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.330{856D1934-DA2F-6113-0103-00000000E401}4163600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002528Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.127{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA2F-6113-0103-00000000E401}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002527Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.127{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002526Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.127{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002525Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.127{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002524Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.127{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002523Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.127{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002522Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.127{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002521Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.127{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002520Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.127{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002519Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.127{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA2F-6113-0103-00000000E401}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002518Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.127{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002517Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.127{856D1934-D9AB-6113-CE01-00000000E401}15323820C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-DA2F-6113-0103-00000000E401}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002516Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.128{856D1934-DA2F-6113-0103-00000000E401}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002712Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.894{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA30-6113-0C03-00000000E401}368C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002711Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.894{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002710Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.894{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002709Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.894{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002708Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.894{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002707Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.894{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002706Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.894{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002705Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.894{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002704Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.894{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002703Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.894{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA30-6113-0C03-00000000E401}368C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002702Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.894{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002701Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.894{856D1934-DA30-6113-0B03-00000000E401}33403684C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{856D1934-DA30-6113-0C03-00000000E401}368C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002700Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.896{856D1934-DA30-6113-0C03-00000000E401}368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{856D1934-DA30-6113-0B03-00000000E401}3340C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000002699Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.879{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA30-6113-0B03-00000000E401}3340C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002698Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.879{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002697Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.879{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002696Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.879{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002695Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.879{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002694Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.879{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002693Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.879{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002692Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.879{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002691Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.879{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA30-6113-0B03-00000000E401}3340C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002690Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.879{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002689Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.879{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002688Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.879{856D1934-DA30-6113-0A03-00000000E401}45725076C:\Windows\system32\cmd.exe{856D1934-DA30-6113-0B03-00000000E401}3340C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002687Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.886{856D1934-DA30-6113-0B03-00000000E401}3340C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{856D1934-DA30-6113-0A03-00000000E401}4572C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000002686Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.863{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA30-6113-0A03-00000000E401}4572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002685Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.863{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002684Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.863{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002683Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.863{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002682Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.863{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002681Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.863{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002680Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.863{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002679Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.863{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002678Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.863{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002677Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.863{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002676Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.863{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA30-6113-0A03-00000000E401}4572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002675Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.863{856D1934-DA2F-6113-0303-00000000E401}33204304C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{856D1934-DA30-6113-0A03-00000000E401}4572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002674Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.872{856D1934-DA30-6113-0A03-00000000E401}4572C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA2F-6113-0303-00000000E401}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=1532 10341000x80000000000000002673Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.817{856D1934-DA30-6113-0903-00000000E401}44164920C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002672Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.142{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53539-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002671Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.142{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53539-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002670Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.136{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53538-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002669Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.136{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53538-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002668Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.131{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53537-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002667Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.130{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53537-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002666Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.125{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53536-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002665Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:50.124{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53536-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002664Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA30-6113-0903-00000000E401}4416C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002663Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002662Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002661Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002660Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002659Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002658Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002657Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002656Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA30-6113-0903-00000000E401}4416C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002655Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002654Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002653Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-DA30-6113-0803-00000000E401}6164100C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{856D1934-DA30-6113-0903-00000000E401}4416C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002652Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.483{856D1934-DA30-6113-0903-00000000E401}4416C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{856D1934-DA30-6113-0803-00000000E401}616C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000002651Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA30-6113-0803-00000000E401}616C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002650Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002649Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002648Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002647Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002646Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002645Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002644Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002643Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002642Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA30-6113-0803-00000000E401}616C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002641Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002640Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.472{856D1934-DA30-6113-0703-00000000E401}3956408C:\Windows\system32\cmd.exe{856D1934-DA30-6113-0803-00000000E401}616C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002639Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.474{856D1934-DA30-6113-0803-00000000E401}616C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{856D1934-DA30-6113-0703-00000000E401}3956C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000002638Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.456{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA30-6113-0703-00000000E401}3956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002637Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.456{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002636Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.456{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002635Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.456{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002634Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.456{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002633Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.456{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002632Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.456{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002631Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.456{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002630Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.456{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002629Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.456{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002628Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.456{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA30-6113-0703-00000000E401}3956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002627Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.456{856D1934-DA2F-6113-0303-00000000E401}33204304C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{856D1934-DA30-6113-0703-00000000E401}3956C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+14738|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d8a0|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002626Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.468{856D1934-DA30-6113-0703-00000000E401}3956C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA2F-6113-0303-00000000E401}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=1532 23542300x80000000000000002625Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.441{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F019FA7AD1164B8CDDC3F94A7F76829,SHA256=F7B5D7CA81AAE45DA931BC7E9C43B53FDC0E2736FB010B41E92D4F1A98513879,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002624Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.441{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002623Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.425{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002622Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.425{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002621Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.425{856D1934-DA2F-6113-0603-00000000E401}8482256C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002620Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.425{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002619Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.128{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA2F-6113-0603-00000000E401}848C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002618Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.128{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002617Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.128{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002616Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.128{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002615Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.128{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002614Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.128{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002613Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.128{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002612Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.128{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002611Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.128{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002610Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.128{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA2F-6113-0603-00000000E401}848C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002609Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.128{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002608Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.128{856D1934-DA2F-6113-0503-00000000E401}12723748C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{856D1934-DA2F-6113-0603-00000000E401}848C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002607Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.691{856D1934-DA2F-6113-0603-00000000E401}848C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{856D1934-DA2F-6113-0503-00000000E401}1272C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 354300x80000000000000002726Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.166{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53543-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002725Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.166{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53543-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002724Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.160{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53542-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002723Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.160{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53542-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002722Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.155{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53541-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002721Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.155{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53541-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002720Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.151{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53540-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002719Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:51.151{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53540-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 23542300x80000000000000002718Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.489{856D1934-D9B7-6113-1F02-00000000E401}752NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43487810D50A3BE74BE17F9A40D793A8,SHA256=2E7FC64A64EAC943D785561211D8EFB3BC4A7E250094C7020960FB6DB5FCC87E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002717Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.458{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002716Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.458{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002715Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.458{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002714Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.458{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002713Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.160{856D1934-DA30-6113-0C03-00000000E401}3684648C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000002738Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.193{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53547-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002737Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.193{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53547-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002736Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.189{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53546-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002735Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.189{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53546-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002734Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.184{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53545-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002733Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.184{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53545-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002732Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.180{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53544-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002731Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:52.179{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53544-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002730Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:54.490{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002729Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:54.474{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002728Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:54.474{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002727Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:54.474{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002837Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.710{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002836Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.710{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002835Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002834Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.710{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA33-6113-1203-00000000E401}4468C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002833Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002832Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002831Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002830Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002829Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002828Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002827Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA33-6113-1203-00000000E401}4468C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002826Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-DA33-6113-1103-00000000E401}6364676C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{856D1934-DA33-6113-1203-00000000E401}4468C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002825Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.704{856D1934-DA33-6113-1203-00000000E401}4468C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{856D1934-DA33-6113-1103-00000000E401}636C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000002824Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA33-6113-1103-00000000E401}636C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002823Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002822Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002821Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002820Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.694{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002819Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.679{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002818Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.679{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002817Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.679{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002816Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.679{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002815Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.679{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002814Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.679{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA33-6113-1103-00000000E401}636C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002813Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.679{856D1934-DA33-6113-1003-00000000E401}38884992C:\Windows\system32\cmd.exe{856D1934-DA33-6113-1103-00000000E401}636C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002812Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.691{856D1934-DA33-6113-1103-00000000E401}636C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{856D1934-DA33-6113-1003-00000000E401}3888C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000002811Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.679{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA33-6113-1003-00000000E401}3888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002810Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.663{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002809Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.663{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002808Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.663{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002807Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.663{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002806Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.663{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002805Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.663{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002804Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.663{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002803Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.663{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002802Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.663{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002801Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.663{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA33-6113-1003-00000000E401}3888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002800Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.663{856D1934-DA2F-6113-0303-00000000E401}33204304C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{856D1934-DA33-6113-1003-00000000E401}3888C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1893f|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+17106|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1385a|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002799Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.676{856D1934-DA33-6113-1003-00000000E401}3888C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA2F-6113-0303-00000000E401}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=1532 354300x80000000000000002798Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:54.240{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53555-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002797Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:54.240{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53555-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002796Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:54.235{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53554-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002795Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:54.235{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53554-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002794Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:54.230{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53553-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002793Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:54.230{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53553-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002792Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:54.227{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53552-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002791Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:54.226{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53552-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002790Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.538{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002789Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.522{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002788Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.522{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002787Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.507{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000002786Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.221{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-837.attackrange.local53551-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002785Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.221{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-837.attackrange.local53551-false10.0.1.14win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002784Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.218{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53550-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002783Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.218{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetrue2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53550-true2001:0:2851:782c:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002782Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.214{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53549-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002781Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.214{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local53549-truefe80:0:0:0:2c4f:6ce1:a648:a5ddwin-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002780Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.210{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53548-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 354300x80000000000000002779Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:53.210{856D1934-D927-6113-0100-00000000E401}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local53548-truefe80:0:0:0:24a0:226f:f5ff:fef1win-dc-837.attackrange.local445microsoft-ds 10341000x80000000000000002778Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA33-6113-0F03-00000000E401}2144C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002777Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002776Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002775Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002774Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002773Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002772Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002771Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002770Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002769Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA33-6113-0F03-00000000E401}2144C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002768Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002767Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-DA33-6113-0E03-00000000E401}46043676C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{856D1934-DA33-6113-0F03-00000000E401}2144C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002766Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.265{856D1934-DA33-6113-0F03-00000000E401}2144C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{856D1934-DA33-6113-0E03-00000000E401}4604C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list httpServer --no-log 10341000x80000000000000002765Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA33-6113-0E03-00000000E401}4604C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002764Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002763Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.256{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002762Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002761Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002760Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002759Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002758Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002757Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002756Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002755Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA33-6113-0E03-00000000E401}4604C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002754Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-DA33-6113-0D03-00000000E401}30923396C:\Windows\system32\cmd.exe{856D1934-DA33-6113-0E03-00000000E401}4604C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002753Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.254{856D1934-DA33-6113-0E03-00000000E401}4604C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{856D1934-DA33-6113-0D03-00000000E401}3092C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list httpServer --no-log 10341000x80000000000000002752Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA33-6113-0D03-00000000E401}3092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002751Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002750Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002749Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002748Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002747Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002746Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002745Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002744Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002743Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002742Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA33-6113-0D03-00000000E401}3092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002741Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.241{856D1934-DA2F-6113-0303-00000000E401}33204304C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{856D1934-DA33-6113-0D03-00000000E401}3092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+6665|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+17249|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+137ff|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002740Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.245{856D1934-DA33-6113-0D03-00000000E401}3092C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list httpServer --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA2F-6113-0303-00000000E401}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=1532 10341000x80000000000000002739Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:55.225{856D1934-DA2F-6113-0303-00000000E401}33204304C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{856D1934-D9AB-6113-CE01-00000000E401}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+457e6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+460cb|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+453d6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d925|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003046Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-DA34-6113-1E03-00000000E401}23243528C:\Windows\system32\conhost.exe{856D1934-DA34-6113-2303-00000000E401}2596C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003045Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003044Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003043Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-DA34-6113-1C03-00000000E401}4716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003042Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-DA34-6113-1C03-00000000E401}4716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003041Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003040Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003039Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003038Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003037Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003036Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003035Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA34-6113-2303-00000000E401}2596C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003034Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003033Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-DA34-6113-2203-00000000E401}43764952C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{856D1934-DA34-6113-2303-00000000E401}2596C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003032Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.852{856D1934-DA34-6113-2303-00000000E401}2596C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{856D1934-DA34-6113-2203-00000000E401}4376C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000003031Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.836{856D1934-DA34-6113-1E03-00000000E401}23243528C:\Windows\system32\conhost.exe{856D1934-DA34-6113-2203-00000000E401}4376C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003030Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.836{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003029Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.836{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003028Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.836{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003027Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.836{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003026Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.836{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003025Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.836{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003024Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.836{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003023Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.836{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA34-6113-2203-00000000E401}4376C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003022Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.836{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003021Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.836{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003020Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.836{856D1934-DA34-6113-2103-00000000E401}49363860C:\Windows\system32\cmd.exe{856D1934-DA34-6113-2203-00000000E401}4376C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003019Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.837{856D1934-DA34-6113-2203-00000000E401}4376C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{856D1934-DA34-6113-2103-00000000E401}4936C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000003018Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.820{856D1934-DA34-6113-1E03-00000000E401}23243528C:\Windows\system32\conhost.exe{856D1934-DA34-6113-2103-00000000E401}4936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003017Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.820{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003016Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.820{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003015Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.820{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003014Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.820{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003013Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.820{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003012Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.820{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003011Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.820{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003010Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.820{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA34-6113-2103-00000000E401}4936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000003009Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.820{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003008Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.820{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003007Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.820{856D1934-DA34-6113-2003-00000000E401}3584416C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{856D1934-DA34-6113-2103-00000000E401}4936C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000003006Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.831{856D1934-DA34-6113-2103-00000000E401}4936C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA34-6113-2003-00000000E401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 17141700x80000000000000003005Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-CreatePipe2021-08-11 14:09:56.820{856D1934-DA34-6113-1C03-00000000E401}4716\PSHost.132731645967331560.4716.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000003004Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-DA34-6113-1E03-00000000E401}23243528C:\Windows\system32\conhost.exe{856D1934-DA34-6113-2003-00000000E401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003003Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003002Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003001Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003000Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002999Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002998Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002997Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002996Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002995Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA34-6113-2003-00000000E401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002994Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002993Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-DA34-6113-1F03-00000000E401}36443660C:\Windows\system32\cmd.exe{856D1934-DA34-6113-2003-00000000E401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002992Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.814{856D1934-DA34-6113-2003-00000000E401}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{856D1934-DA34-6113-1F03-00000000E401}3644C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000002991Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-DA34-6113-1E03-00000000E401}23243528C:\Windows\system32\conhost.exe{856D1934-DA34-6113-1F03-00000000E401}3644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002990Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002989Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002988Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002987Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002986Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002985Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002984Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002983Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002982Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002981Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA34-6113-1F03-00000000E401}3644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000002980Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-DA34-6113-1C03-00000000E401}4716ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_01s3laet.0sa.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002979Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-DA34-6113-1603-00000000E401}26764440C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-DA34-6113-1F03-00000000E401}3644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002978Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.808{856D1934-DA34-6113-1F03-00000000E401}3644C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA34-6113-1603-00000000E401}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000002977Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.805{856D1934-DA34-6113-1C03-00000000E401}4716ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_njuhcr4l.5zq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000002976Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.789{856D1934-DA34-6113-1E03-00000000E401}23243528C:\Windows\system32\conhost.exe{856D1934-DA34-6113-1603-00000000E401}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000002975Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.789{856D1934-DA34-6113-1C03-00000000E401}4716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_njuhcr4l.5zq.ps12021-08-11 14:09:56.789 10341000x80000000000000002974Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.789{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA34-6113-1E03-00000000E401}2324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002973Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.774{856D1934-D92F-6113-0A00-00000000E401}6042432C:\Windows\system32\services.exe{856D1934-DA34-6113-1603-00000000E401}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002972Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.758{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-DA34-6113-1C03-00000000E401}4716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002971Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.758{856D1934-DA34-6113-1B03-00000000E401}45323496C:\Windows\system32\conhost.exe{856D1934-DA34-6113-1D03-00000000E401}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002970Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.758{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002969Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.758{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002968Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.758{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002967Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.758{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002966Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.758{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002965Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.758{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002964Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.758{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002963Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.758{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA34-6113-1D03-00000000E401}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002962Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.758{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002961Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.742{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002960Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.742{856D1934-DA34-6113-1903-00000000E401}48084412C:\Windows\system32\cmd.exe{856D1934-DA34-6113-1D03-00000000E401}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002959Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.756{856D1934-DA34-6113-1D03-00000000E401}4536C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{856D1934-DA34-6113-1903-00000000E401}4808C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x80000000000000002958Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002957Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002956Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002955Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-DA34-6113-1B03-00000000E401}45323496C:\Windows\system32\conhost.exe{856D1934-DA34-6113-1903-00000000E401}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002954Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-DA34-6113-1803-00000000E401}43565016C:\Windows\system32\conhost.exe{856D1934-DA34-6113-1C03-00000000E401}4716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002953Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002952Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002951Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002950Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002949Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002948Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002947Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002946Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002945Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002944Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA34-6113-1C03-00000000E401}4716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002943Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-DA34-6113-1A03-00000000E401}45844712C:\Windows\system32\cmd.exe{856D1934-DA34-6113-1C03-00000000E401}4716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002942Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.733{856D1934-DA34-6113-1C03-00000000E401}4716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-DA34-6113-6571-110000000000}0x1171650HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{856D1934-DA34-6113-1A03-00000000E401}4584C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000002941Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-DA34-6113-1803-00000000E401}43565016C:\Windows\system32\conhost.exe{856D1934-DA34-6113-1A03-00000000E401}4584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002940Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.727{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA34-6113-1B03-00000000E401}4532C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002939Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002938Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002937Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002936Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002935Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002934Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002933Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002932Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002931Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002930Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA34-6113-1A03-00000000E401}4584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002929Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-DA34-6113-1703-00000000E401}47204204C:\Windows\system32\WinrsHost.exe{856D1934-DA34-6113-1A03-00000000E401}4584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 154100x80000000000000002928Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.721{856D1934-DA34-6113-1A03-00000000E401}4584C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{856D1934-DA34-6113-6571-110000000000}0x1171650HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA34-6113-1703-00000000E401}4720C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002927Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002926Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA34-6113-1903-00000000E401}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002925Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002924Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002923Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002922Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002921Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002920Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-DA34-6113-1603-00000000E401}26764996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{856D1934-DA34-6113-1903-00000000E401}4808C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002919Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002918Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002917Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002916Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.719{856D1934-DA34-6113-1903-00000000E401}4808C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA34-6113-1603-00000000E401}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002915Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002914Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002913Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.711{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002912Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.695{856D1934-D932-6113-1300-00000000E401}10521332C:\Windows\system32\svchost.exe{856D1934-DA34-6113-1703-00000000E401}4720C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002911Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.680{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-DA34-6113-1703-00000000E401}4720C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002910Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.664{856D1934-DA34-6113-1803-00000000E401}43565016C:\Windows\system32\conhost.exe{856D1934-DA34-6113-1703-00000000E401}4720C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002909Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.648{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA34-6113-1803-00000000E401}4356C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002908Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002907Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002906Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002905Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002904Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002903Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA34-6113-1703-00000000E401}4720C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002902Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002901Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002900Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002899Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D932-6113-0C00-00000000E401}840872C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002898Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-DA34-6113-1703-00000000E401}4720C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002897Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.645{856D1934-DA34-6113-1703-00000000E401}4720C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{856D1934-DA34-6113-6571-110000000000}0x1171650HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{856D1934-D932-6113-0C00-00000000E401}840C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002896Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002895Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002894Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.633{856D1934-D930-6113-0B00-00000000E401}612820C:\Windows\system32\lsass.exe{856D1934-D932-6113-1300-00000000E401}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002893Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.586{856D1934-D930-6113-0B00-00000000E401}612656C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002892Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.570{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002891Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.570{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002890Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.555{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002889Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.555{856D1934-D930-6113-0B00-00000000E401}612832C:\Windows\system32\lsass.exe{856D1934-D927-6113-0100-00000000E401}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000002888Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.445{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002887Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.445{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002886Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.445{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002885Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.445{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002884Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.445{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002883Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.445{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002882Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.445{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002881Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.445{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002880Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.445{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002879Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.445{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA34-6113-1603-00000000E401}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002878Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.445{856D1934-D92F-6113-0A00-00000000E401}604344C:\Windows\system32\services.exe{856D1934-DA34-6113-1603-00000000E401}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002877Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.450{856D1934-DA34-6113-1603-00000000E401}2676C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{856D1934-D92F-6113-0A00-00000000E401}604C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000002876Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.117{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002875Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.117{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002874Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.117{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002873Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.117{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002872Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002871Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA34-6113-1503-00000000E401}4364C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002870Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002869Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002868Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002867Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002866Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-D929-6113-0500-00000000E401}396412C:\Windows\system32\csrss.exe{856D1934-DA34-6113-1503-00000000E401}4364C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002865Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-DA34-6113-1403-00000000E401}48243096C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{856D1934-DA34-6113-1503-00000000E401}4364C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002864Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.109{856D1934-DA34-6113-1503-00000000E401}4364C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{856D1934-DA34-6113-1403-00000000E401}4824C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list httpServerListener: --no-log 10341000x80000000000000002863Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA34-6113-1403-00000000E401}4824C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002862Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002861Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002860Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002859Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002858Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.101{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002857Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002856Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002855Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002854Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002853Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D929-6113-0500-00000000E401}396512C:\Windows\system32\csrss.exe{856D1934-DA34-6113-1403-00000000E401}4824C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002852Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-DA34-6113-1303-00000000E401}25484972C:\Windows\system32\cmd.exe{856D1934-DA34-6113-1403-00000000E401}4824C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002851Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.095{856D1934-DA34-6113-1403-00000000E401}4824C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{856D1934-DA34-6113-1303-00000000E401}2548C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list httpServerListener: --no-log 10341000x80000000000000002850Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D9AC-6113-D201-00000000E401}32841044C:\Windows\system32\conhost.exe{856D1934-DA34-6113-1303-00000000E401}2548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002849Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002848Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002847Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002846Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002845Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002844Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002843Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002842Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002841Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000002840Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-D929-6113-0500-00000000E401}396352C:\Windows\system32\csrss.exe{856D1934-DA34-6113-1303-00000000E401}2548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000002839Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.085{856D1934-DA2F-6113-0303-00000000E401}33204304C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE{856D1934-DA34-6113-1303-00000000E401}2548C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+13ac4|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+12176|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+19082|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+d94e|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000002838Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:56.087{856D1934-DA34-6113-1303-00000000E401}2548C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list httpServerListener: --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{856D1934-D930-6113-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{856D1934-DA2F-6113-0303-00000000E401}3320C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\Splunk.EXE" restart --waitonpid=1532 10341000x80000000000000003183Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:57.837{856D1934-DA34-6113-1E03-00000000E401}23243528C:\Windows\system32\conhost.exe{856D1934-DA35-6113-2C03-00000000E401}484C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003182Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:57.837{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003181Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:57.837{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003180Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:57.837{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003179Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:57.837{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000003178Microsoft-Windows-Sysmon/Operationalwin-dc-837.attackrange.local-2021-08-11 14:09:57.837{856D1934-D932-6113-0C00-00000000E401}840104C:\Windows\system32\svchost.exe{856D1934-D9D5-6113-AE02-00000000E401}4788C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|