10341000x800000000000000034Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000033Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000032Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000031Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000030Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000029Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000028Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000027Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000026Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000025Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000024Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.321{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000023Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000022Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000021Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000020Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000019Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000018Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000017Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000016Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000015Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000014Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000013Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000012Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.305{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000011Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.274{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F502-000000007E01}4592C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000010Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.274{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-1676-5F84-F502-000000007E01}4592C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000009Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.274{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F502-000000007E01}4592C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000008Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.272{5D479F2C-1676-5F84-F502-000000007E01}4592C:\Windows\System32\wbem\unsecapp.exe10.0.14393.2515 (rs1_release_1.180830-1044)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-1504-5F84-E703-000000000000}0x3e70SystemMD5=2E49BB6C9F6599F518FE30BE2F000247,SHA256=20F499D581CF4AF331D8EC8B1E07A32CC1A695EF6790B51DA5EE223C5867154F,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{5D479F2C-1506-5F84-0C00-000000007E01}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000007Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.258{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000006Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.258{5D479F2C-1504-5F84-0A00-000000007E01}8523044C:\Windows\system32\services.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x80000000000000005Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.243{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x80000000000000004Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.243{5D479F2C-1504-5F84-0A00-000000007E01}852940C:\Windows\system32\services.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+12bee|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d608|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x80000000000000003Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:22.227{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe12.0System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5D479F2C-1504-5F84-E703-000000000000}0x3e70SystemMD5=0475D48604B7C8E7D9DD7605B6A5930F,SHA256=55BAD23D049A2FD801B8DECDC5D960D4E27D7F92541E8B37557B7495CA5561A2,IMPHASH=49AAA307415968B34D3FD1A72DEE6C71{5D479F2C-1504-5F84-0A00-000000007E01}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 434400x80000000000000002Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local2020-10-12 08:40:22.305Started12.04.40 16341600x80000000000000001Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local2020-10-12 08:40:22.211c:\Program Files\ansible\AttackRangeSysmon.xmlSHA1=662E68DD6B3360E156BDE1F54FD3ED5BB76E8AFC 10341000x8000000000000000128Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.790{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1677-5F84-FB02-000000007E01}1500C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000127Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000126Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000125Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000124Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000123Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000122Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000121Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000120Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000119Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-1677-5F84-FB02-000000007E01}1500C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000118Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000117Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1677-5F84-FA02-000000007E01}46762348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-1677-5F84-FB02-000000007E01}1500C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+366a32ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b44137(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b43e08(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+365f546d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b0499e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b62e6d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b464d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b464d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b46363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b382e8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b4481b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b4440e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b44137(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b43e08(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+365f546d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b2ac69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35b2a239(wow64) 154100x8000000000000000116Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.787{5D479F2C-1677-5F84-FB02-000000007E01}1500C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000115Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000114Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000113Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.774{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000112Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.727{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000111Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.727{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000110Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.680{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_q2oablqw.104.ps12020-10-12 08:40:23.680 10341000x8000000000000000109Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.680{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000108Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000107Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000106Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000105Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000104Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000103Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000102Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000101Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1677-5F84-F902-000000007E01}4384744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+362432a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+36195466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356a4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35702e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356d82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+36195466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356cac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356ca232(wow64) 10341000x8000000000000000100Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000099Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000098Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000097Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.649{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x800000000000000096Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.654{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x800000000000000095Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.602{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000094Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.602{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x800000000000000093Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.555{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gdq1umrn.j3j.ps12020-10-12 08:40:23.555 10341000x800000000000000092Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.540{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000091Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000090Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000089Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000088Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000087Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000086Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000085Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000084Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000083Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000082Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000081Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x800000000000000080Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.524{5D479F2C-1677-5F84-F802-000000007E01}51124340C:\Windows\system32\cmd.exe{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x800000000000000079Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.518{5D479F2C-1677-5F84-F902-000000007E01}4384C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-1677-5F84-F802-000000007E01}5112C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x800000000000000078Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000077Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000076Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000075Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1677-5F84-F802-000000007E01}5112C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000074Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000073Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000072Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000071Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000070Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000069Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000068Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000067Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000066Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000065Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1677-5F84-F802-000000007E01}5112C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x800000000000000064Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.508{5D479F2C-1677-5F84-F602-000000007E01}13244120C:\Windows\system32\WinrsHost.exe{5D479F2C-1677-5F84-F802-000000007E01}5112C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x800000000000000063Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.506{5D479F2C-1677-5F84-F802-000000007E01}5112C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x800000000000000062Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.493{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000061Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.493{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000060Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.493{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000059Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.493{5D479F2C-1507-5F84-1300-000000007E01}13082496C:\Windows\system32\svchost.exe{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x800000000000000058Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.477{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000057Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.477{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000056Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-1677-5F84-F702-000000007E01}4364C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x800000000000000055Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000054Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000053Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000052Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000051Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000050Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000049Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000048Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000047Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000046Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x800000000000000045Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x800000000000000044Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.467{5D479F2C-1677-5F84-F602-000000007E01}1324C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-1506-5F84-0C00-000000007E01}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x800000000000000043Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000042Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000041Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.461{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000040Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.383{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000039Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.383{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000038Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.383{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000037Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.368{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000036Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.368{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x800000000000000035Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:23.368{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000221Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.946{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000220Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.946{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000219Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.915{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_oeuhpdzq.sn0.ps12020-10-12 08:40:24.915 10341000x8000000000000000218Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.899{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000217Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000216Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000215Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000214Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000213Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000212Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000211Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000210Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000209Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000208Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000207Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000206Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000205Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000204Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1678-5F84-0003-000000007E01}47485080C:\Windows\system32\cmd.exe{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000203Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.877{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-1678-5F84-0003-000000007E01}4748C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000202Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000201Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1678-5F84-0003-000000007E01}4748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000200Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000199Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000198Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000197Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000196Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000195Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000194Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000193Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000192Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000191Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-1678-5F84-0003-000000007E01}4748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000190Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1678-5F84-FE02-000000007E01}42364224C:\Windows\system32\WinrsHost.exe{5D479F2C-1678-5F84-0003-000000007E01}4748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x8000000000000000189Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.872{5D479F2C-1678-5F84-0003-000000007E01}4748C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000188Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000187Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000186Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.868{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000185Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.852{5D479F2C-1507-5F84-1300-000000007E01}13082496C:\Windows\system32\svchost.exe{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000184Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.852{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000183Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000182Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-1678-5F84-FF02-000000007E01}4756C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000181Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000180Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000179Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000178Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000177Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000176Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000175Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000174Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000173Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000172Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000171Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000170Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.839{5D479F2C-1678-5F84-FE02-000000007E01}4236C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-1506-5F84-0C00-000000007E01}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000169Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000168Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.837{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000167Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.821{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000166Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.743{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000165Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.743{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000164Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.743{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000163Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.743{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000162Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.743{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000161Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.743{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000160Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localDLL2020-10-12 08:40:24.352{5D479F2C-1678-5F84-FC02-000000007E01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\bqwsc4ag.dll2020-10-12 08:40:24.227 10341000x8000000000000000159Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1678-5F84-FD02-000000007E01}4140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000158Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1678-5F84-FD02-000000007E01}4140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000157Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000156Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000155Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000154Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000153Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1678-5F84-FC02-000000007E01}42961504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5D479F2C-1678-5F84-FD02-000000007E01}4140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000152Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000151Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000150Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000149Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000148Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.352{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000147Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.351{5D479F2C-1678-5F84-FD02-000000007E01}4140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESD384.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCD845E8C4A0CD4853B5D24317EE8DC8DD.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5D479F2C-1678-5F84-FC02-000000007E01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\bqwsc4ag.cmdline" 10341000x8000000000000000146Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.337{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000145Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.337{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000144Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.337{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000143Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1677-5F84-F702-000000007E01}43642676C:\Windows\system32\conhost.exe{5D479F2C-1678-5F84-FC02-000000007E01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000142Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000141Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000140Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000139Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000138Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1678-5F84-FC02-000000007E01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000137Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000136Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000135Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000134Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1677-5F84-FA02-000000007E01}46762348C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-1678-5F84-FC02-000000007E01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+7c19a9|UNKNOWN(00007FF9E2E9B68F) 10341000x8000000000000000133Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000132Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.258{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000131Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.232{5D479F2C-1678-5F84-FC02-000000007E01}4296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\bqwsc4ag.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1677-5F84-B55C-110000000000}0x115cb50HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000130Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.227{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\bqwsc4ag.cmdline2020-10-12 08:40:24.227 11241100x8000000000000000129Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localDLL2020-10-12 08:40:24.227{5D479F2C-1677-5F84-FA02-000000007E01}4676C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\bqwsc4ag.dll2020-10-12 08:40:24.227 13241300x8000000000000000287Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-SetValue2020-10-12 08:40:25.977{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\MaxSizeDWORD (0x12d2c000) 10341000x8000000000000000286Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.712{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000285Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.712{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000284Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.712{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000283Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localDLL2020-10-12 08:40:25.665{5D479F2C-1679-5F84-0403-000000007E01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\taervu2d.dll2020-10-12 08:40:25.571 10341000x8000000000000000282Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1679-5F84-0503-000000007E01}3960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000281Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000280Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000279Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000278Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000277Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000276Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000275Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000274Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000273Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-1679-5F84-0503-000000007E01}3960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000272Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000271Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.665{5D479F2C-1679-5F84-0403-000000007E01}41164488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5D479F2C-1679-5F84-0503-000000007E01}3960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000270Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.666{5D479F2C-1679-5F84-0503-000000007E01}3960C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESD8B4.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCF0C11AC87572495F965A54CDE7136DA1.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5D479F2C-1679-5F84-0403-000000007E01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\taervu2d.cmdline" 10341000x8000000000000000269Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1679-5F84-0403-000000007E01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000268Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000267Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000266Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000265Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000264Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000263Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000262Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000261Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000260Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000259Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-1679-5F84-0403-000000007E01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000258Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1679-5F84-0203-000000007E01}43082040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-1679-5F84-0403-000000007E01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+7c19a9|UNKNOWN(00007FF9E2E8B68F) 154100x8000000000000000257Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.582{5D479F2C-1679-5F84-0403-000000007E01}4116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\taervu2d.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000256Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.571{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\taervu2d.cmdline2020-10-12 08:40:25.571 11241100x8000000000000000255Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localDLL2020-10-12 08:40:25.571{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\taervu2d.dll2020-10-12 08:40:25.571 10341000x8000000000000000254Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1679-5F84-0303-000000007E01}4712C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000253Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000252Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000251Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000250Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000249Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000248Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000247Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000246Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000245Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-1679-5F84-0303-000000007E01}4712C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000244Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000243Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.133{5D479F2C-1679-5F84-0203-000000007E01}43082040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-1679-5F84-0303-000000007E01}4712C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|UNKNOWN(00007FFA3698331B)|UNKNOWN(00007FFA35E241A5)|UNKNOWN(00007FFA35E23E76)|UNKNOWN(00007FFA368D54DB)|UNKNOWN(00007FFA35DE4A0C)|UNKNOWN(00007FFA35E42EDB)|UNKNOWN(00007FFA35E26540)|UNKNOWN(00007FFA35E26540)|UNKNOWN(00007FFA35E263D1)|UNKNOWN(00007FFA35E18356)|UNKNOWN(00007FFA35E24889)|UNKNOWN(00007FFA35E2447C)|UNKNOWN(00007FFA35E241A5)|UNKNOWN(00007FFA35E23E76)|UNKNOWN(00007FFA368D54DB)|UNKNOWN(00007FFA35E0ACD7)|UNKNOWN(00007FFA35E0A2A7) 154100x8000000000000000242Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.135{5D479F2C-1679-5F84-0303-000000007E01}4712C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000241Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.118{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000240Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.118{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000239Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.118{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000238Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.071{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000237Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.071{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000236Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.040{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_tnuf33tk.b2w.ps12020-10-12 08:40:25.040 10341000x8000000000000000235Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.024{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000234Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1678-5F84-FF02-000000007E01}47564000C:\Windows\system32\conhost.exe{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000233Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000232Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000231Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000230Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000229Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000228Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000227Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000226Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000225Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000224Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000223Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:24.993{5D479F2C-1678-5F84-0103-000000007E01}46443544C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+362432a6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+36195466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356a4997(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35702e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e64cb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e635c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356d82e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4814(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4407(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e4130(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356e3e01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+36195466(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356cac62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+356ca232(wow64) 154100x8000000000000000222Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:25.004{5D479F2C-1679-5F84-0203-000000007E01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-1678-5F84-7C8C-110000000000}0x118c7c0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-1678-5F84-0103-000000007E01}4644C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 11241100x8000000000000000410Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localDLL2020-10-12 08:40:26.977{5D479F2C-167A-5F84-0C03-000000007E01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\adoupm4p.dll2020-10-12 08:40:26.884 10341000x8000000000000000409Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.977{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0D03-000000007E01}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000408Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000407Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000406Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000405Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000404Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000403Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000402Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000401Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000400Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0D03-000000007E01}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000399Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000398Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.962{5D479F2C-167A-5F84-0C03-000000007E01}42444100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5D479F2C-167A-5F84-0D03-000000007E01}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000397Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.975{5D479F2C-167A-5F84-0D03-000000007E01}5100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESDDC5.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCC80B3BB7D05A4645AE54C1E79FD893C3.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{5D479F2C-167A-5F84-0C03-000000007E01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\adoupm4p.cmdline" 10341000x8000000000000000396Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0C03-000000007E01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000395Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000394Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000393Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000392Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000391Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000390Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000389Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000388Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000387Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000386Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0C03-000000007E01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000385Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-167A-5F84-0A03-000000007E01}18322316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-167A-5F84-0C03-000000007E01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+7c19a9|UNKNOWN(00007FF9E2EAB68F) 154100x8000000000000000384Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.890{5D479F2C-167A-5F84-0C03-000000007E01}4244C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\adoupm4p.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000383Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.884{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\adoupm4p.cmdline2020-10-12 08:40:26.884 11241100x8000000000000000382Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.localDLL2020-10-12 08:40:26.884{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\adoupm4p.dll2020-10-12 08:40:26.884 10341000x8000000000000000381Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0B03-000000007E01}4604C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000380Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000379Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000378Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000377Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000376Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000375Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000374Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000373Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000372Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0B03-000000007E01}4604C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000371Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000370Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-167A-5F84-0A03-000000007E01}18322316C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-167A-5F84-0B03-000000007E01}4604C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3698331b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e241a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e23e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+368d54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35de4a0c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e42edb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e26540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e26540(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e263d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e18356(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e24889(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e2447c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e241a5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e23e76(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+368d54db(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e0acd7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e0a2a7(wow64) 154100x8000000000000000369Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.446{5D479F2C-167A-5F84-0B03-000000007E01}4604C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000368Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.430{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000367Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.430{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000366Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.430{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000365Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.384{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000364Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.384{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000363Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.352{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cki3jqjz.nhs.ps12020-10-12 08:40:26.352 10341000x8000000000000000362Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.337{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000361Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000360Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000359Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000358Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000357Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000356Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000355Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000354Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000353Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000352Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000351Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000350Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.305{5D479F2C-167A-5F84-0903-000000007E01}29844704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+365732ed(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a14177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a13e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+364c54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+359d49de(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a32ead(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a16512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a16512(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a163a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a08328(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a1485b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a1444e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a14177(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35a13e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+364c54ad(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+359faca9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+359fa279(wow64) 154100x8000000000000000349Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.315{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000348Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.259{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000347Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.259{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000346Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.227{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ryndf0ex.dl5.ps12020-10-12 08:40:26.227 10341000x8000000000000000345Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.212{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000344Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000343Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000342Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000341Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000340Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000339Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000338Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000337Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000336Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000335Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000334Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000333Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-167A-5F84-0803-000000007E01}48724596C:\Windows\system32\cmd.exe{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000332Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.189{5D479F2C-167A-5F84-0903-000000007E01}2984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-167A-5F84-0803-000000007E01}4872C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000331Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000330Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000329Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000328Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0803-000000007E01}4872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000327Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000326Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000325Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000324Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000323Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000322Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000321Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000320Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000319Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000318Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0803-000000007E01}4872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000317Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-167A-5F84-0603-000000007E01}44964248C:\Windows\system32\WinrsHost.exe{5D479F2C-167A-5F84-0803-000000007E01}4872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x8000000000000000316Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.184{5D479F2C-167A-5F84-0803-000000007E01}4872C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000315Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000314Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.180{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000313Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.165{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000312Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.165{5D479F2C-1507-5F84-1300-000000007E01}13081948C:\Windows\system32\svchost.exe{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000311Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.165{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000310Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-167A-5F84-0703-000000007E01}50444736C:\Windows\system32\conhost.exe{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000309Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0703-000000007E01}5044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000308Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000307Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000306Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000305Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000304Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000303Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000302Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000301Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000300Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000299Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000298Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000297Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.151{5D479F2C-167A-5F84-0603-000000007E01}4496C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-167A-5F84-77B4-110000000000}0x11b4770HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-1506-5F84-0C00-000000007E01}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000296Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000295Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.149{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000294Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.134{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000293Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.071{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000292Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.055{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000291Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.055{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000290Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.055{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000289Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.055{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000288Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:26.055{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000550Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.978{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000549Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.978{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000548Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.978{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000547Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000546Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000545Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1502-5F84-0700-000000007E01}716C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000544Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-1503-000000007E01}4028C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000543Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000542Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000541Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000540Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000539Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000538Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000537Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000536Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000535Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-1503-000000007E01}4028C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000534Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000533Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.962{5D479F2C-167B-5F84-1403-000000007E01}14964124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-167B-5F84-1503-000000007E01}4028C:\Windows\system32\shutdown.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3698331a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e241a4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e23e75(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+368d54da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35de4a0b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e42eda(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e2653f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e2653f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e263d0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e18355(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e24888(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e2447b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e241a4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e23e75(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+368d54da(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e0acd6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35e0a2a6(wow64) 154100x8000000000000000532Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.964{5D479F2C-167B-5F84-1503-000000007E01}4028C:\Windows\System32\shutdown.exe10.0.14393.0 (rs1_release.160715-1616)Windows Shutdown and Annotation ToolMicrosoft® Windows® Operating SystemMicrosoft CorporationSHUTDOWN.EXE"C:\Windows\system32\shutdown.exe" /r /t 2 /c "Reboot initiated by Ansible"C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=547993395376742A437D3145AF6B0309,SHA256=F96073C3442EA0A99B4945394007602772DB36732D1511DC2068519526678F8A,IMPHASH=609F1D7580ED496A3076AEBA77DAFC7E{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA== 10341000x8000000000000000531Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.899{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000530Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.899{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000529Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.868{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0dn0t03m.cft.ps12020-10-12 08:40:27.868 10341000x8000000000000000528Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.853{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000527Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000526Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000525Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000524Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000523Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000522Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000521Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000520Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000519Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000518Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000517Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.837{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000516Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.821{5D479F2C-167B-5F84-1303-000000007E01}45084752C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\78b8fb2c58a4cdcc3a44547b9bbd80b9\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+362f32a9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35794133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35793e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+36245469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3575499a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+357b2e69(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+357964ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+357964ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3579635f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+357882e4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35794817(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3579440a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35794133(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+35793e04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+36245469(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3577ac65(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbcfce4d5e2ff289fc26db1642aedc89\System.Management.Automation.ni.dll+3577a235(wow64) 154100x8000000000000000515Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.836{5D479F2C-167B-5F84-1403-000000007E01}1496C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UwBlAHQALQBTAHQAcgBpAGMAdABNAG8AZABlACAALQBWAGUAcgBzAGkAbwBuACAATABhAHQAZQBzAHQACgBzAGgAdQB0AGQAbwB3AG4AIAAvAHIAIAAvAHQAIAAyACAALwBjACAAIgBSAGUAYgBvAG8AdAAgAGkAbgBpAHQAaQBhAHQAZQBkACAAYgB5ACAAQQBuAHMAaQBiAGwAZQAiAAoASQBmACAAKAAtAG4AbwB0ACAAJAA/ACkAIAB7ACAASQBmACAAKABHAGUAdAAtAFYAYQByAGkAYQBiAGwAZQAgAEwAQQBTAFQARQBYAEkAVABDAE8ARABFACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAGkAbABlAG4AdABsAHkAQwBvAG4AdABpAG4AdQBlACkAIAB7ACAAZQB4AGkAdAAgACQATABBAFMAVABFAFgASQBUAEMATwBEAEUAIAB9ACAARQBsAHMAZQAgAHsAIABlAHgAaQB0ACAAMQAgAH0AIAB9AA==C:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000514Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.774{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000513Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.774{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000512Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.743{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_okhk4ylk.jcl.ps12020-10-12 08:40:27.743 10341000x8000000000000000511Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.728{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000510Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000509Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000508Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000507Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000506Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000505Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000504Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000503Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000502Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000501Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000500Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000499Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-167B-5F84-1203-000000007E01}40324428C:\Windows\system32\cmd.exe{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000498Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.712{5D479F2C-167B-5F84-1303-000000007E01}4508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-167B-5F84-1203-000000007E01}4032C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0A 10341000x8000000000000000497Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000496Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000495Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000494Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-1203-000000007E01}4032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000493Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000492Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000491Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000490Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000489Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000488Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000487Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000486Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000485Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000484Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-14FE-5F84-0500-000000007E01}640760C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-1203-000000007E01}4032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000483Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-167B-5F84-0E03-000000007E01}50841256C:\Windows\system32\WinrsHost.exe{5D479F2C-167B-5F84-1203-000000007E01}4032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x8000000000000000482Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.707{5D479F2C-167B-5F84-1203-000000007E01}4032C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAVQB3AEIAbABBAEgAUQBBAEwAUQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwBNAEEAZABBAEIATgBBAEcAOABBAFoAQQBCAGwAQQBDAEEAQQBMAFEAQgBXAEEARwBVAEEAYwBnAEIAegBBAEcAawBBAGIAdwBCAHUAQQBDAEEAQQBUAEEAQgBoAEEASABRAEEAWgBRAEIAegBBAEgAUQBBAEMAZwBCAHoAQQBHAGcAQQBkAFEAQgAwAEEARwBRAEEAYgB3AEIAMwBBAEcANABBAEkAQQBBAHYAQQBIAEkAQQBJAEEAQQB2AEEASABRAEEASQBBAEEAeQBBAEMAQQBBAEwAdwBCAGoAQQBDAEEAQQBJAGcAQgBTAEEARwBVAEEAWQBnAEIAdgBBAEcAOABBAGQAQQBBAGcAQQBHAGsAQQBiAGcAQgBwAEEASABRAEEAYQBRAEIAaABBAEgAUQBBAFoAUQBCAGsAQQBDAEEAQQBZAGcAQgA1AEEAQwBBAEEAUQBRAEIAdQBBAEgATQBBAGEAUQBCAGkAQQBHAHcAQQBaAFEAQQBpAEEAQQBvAEEAUwBRAEIAbQBBAEMAQQBBAEsAQQBBAHQAQQBHADQAQQBiAHcAQgAwAEEAQwBBAEEASgBBAEEALwBBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBTAFEAQgBtAEEAQwBBAEEASwBBAEIASABBAEcAVQBBAGQAQQBBAHQAQQBGAFkAQQBZAFEAQgB5AEEARwBrAEEAWQBRAEIAaQBBAEcAdwBBAFoAUQBBAGcAQQBFAHcAQQBRAFEAQgBUAEEARgBRAEEAUgBRAEIAWQBBAEUAawBBAFYAQQBCAEQAQQBFADgAQQBSAEEAQgBGAEEAQwBBAEEATABRAEIARgBBAEgASQBBAGMAZwBCAHYAQQBIAEkAQQBRAFEAQgBqAEEASABRAEEAYQBRAEIAdgBBAEcANABBAEkAQQBCAFQAQQBHAGsAQQBiAEEAQgBsAEEARwA0AEEAZABBAEIAcwBBAEgAawBBAFEAdwBCAHYAQQBHADQAQQBkAEEAQgBwAEEARwA0AEEAZABRAEIAbABBAEMAawBBAEkAQQBCADcAQQBDAEEAQQBaAFEAQgA0AEEARwBrAEEAZABBAEEAZwBBAEMAUQBBAFQAQQBCAEIAQQBGAE0AQQBWAEEAQgBGAEEARgBnAEEAUwBRAEIAVQBBAEUATQBBAFQAdwBCAEUAQQBFAFUAQQBJAEEAQgA5AEEAQwBBAEEAUgBRAEIAcwBBAEgATQBBAFoAUQBBAGcAQQBIAHMAQQBJAEEAQgBsAEEASABnAEEAYQBRAEIAMABBAEMAQQBBAE0AUQBBAGcAQQBIADAAQQBJAEEAQgA5AEEAQQA9AD0AC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000481Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000480Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000479Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000478Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000477Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000476Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.696{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000475Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.509{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000474Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.509{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\System32\RPCRT4.dll+112df|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 11241100x8000000000000000473Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.477{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ie45nprh.hh4.ps12020-10-12 08:40:27.477 10341000x8000000000000000472Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.462{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000471Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000470Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000469Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000468Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000467Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000466Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000465Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000464Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000463Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000462Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000461Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-14FE-5F84-0500-000000007E01}6402464C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000460Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-167B-5F84-1003-000000007E01}43962676C:\Windows\system32\cmd.exe{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000459Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.450{5D479F2C-167B-5F84-1103-000000007E01}4744C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5D479F2C-167B-5F84-1003-000000007E01}4396C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUA 10341000x8000000000000000458Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000457Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000456Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000455Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-1003-000000007E01}4396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000454Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000453Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.446{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000452Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000451Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000450Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000449Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000448Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000447Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000446Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000445Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-1003-000000007E01}4396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000444Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-167B-5F84-0E03-000000007E01}50841256C:\Windows\system32\WinrsHost.exe{5D479F2C-167B-5F84-1003-000000007E01}4396C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+7d09|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+b42b|C:\Windows\System32\combase.dll+53b8c|C:\Windows\System32\combase.dll+53842|C:\Windows\System32\combase.dll+51968|C:\Windows\System32\combase.dll+4fedd|C:\Windows\System32\combase.dll+4f5bf|C:\Windows\System32\combase.dll+6da09|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5982e|C:\Windows\System32\RPCRT4.dll+39257|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb 154100x8000000000000000443Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.445{5D479F2C-167B-5F84-1003-000000007E01}4396C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand KABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBDAGwAYQBzAHMATgBhAG0AZQAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBMAGEAcwB0AEIAbwBvAHQAVQBwAFQAaQBtAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000442Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000441Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000440Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000439Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1507-5F84-1300-000000007E01}13081948C:\Windows\system32\svchost.exe{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000438Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.431{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000437Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.415{5D479F2C-167B-5F84-0F03-000000007E01}44684280C:\Windows\system32\conhost.exe{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000436Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.415{5D479F2C-14FE-5F84-0500-000000007E01}640656C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-0F03-000000007E01}4468C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6a54|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000435Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000434Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000433Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000432Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000431Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000430Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000429Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000428Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000427Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}5721064C:\Windows\system32\svchost.exe{5D479F2C-1676-5F84-F402-000000007E01}4628C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000426Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-14FE-5F84-0500-000000007E01}6401148C:\Windows\system32\csrss.exe{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+6e87f 10341000x8000000000000000425Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1506-5F84-0C00-000000007E01}572596C:\Windows\system32\svchost.exe{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7194|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+43e3b|C:\Windows\System32\RPCRT4.dll+46a2a|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 154100x8000000000000000424Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.413{5D479F2C-167B-5F84-0E03-000000007E01}5084C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5D479F2C-167B-5F84-41E1-110000000000}0x11e1410HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{5D479F2C-1506-5F84-0C00-000000007E01}572C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000423Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000422Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000421Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.399{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000420Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.368{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000419Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.368{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000418Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.368{5D479F2C-1504-5F84-0B00-000000007E01}860664C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000417Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.352{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000416Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.352{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 10341000x8000000000000000415Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.352{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+6e871 13241300x8000000000000000414Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-SetValue2020-10-12 08:40:27.274{5D479F2C-167A-5F84-0A03-000000007E01}1832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational\RetentionDWORD (0x00000000) 10341000x8000000000000000413Microsoft-Windows-Sysmon/Operationalwin-dc-3574060.attackrange.local-2020-10-12 08:40:27.009{5D479F2C-1504-5F84-0B00-000000007E01}8603768C:\Windows\system32\lsass.exe{5D479F2C-1507-5F84-1300-000000007E01}1308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5ec4|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78343|C:\Windows\System32\RPCRT4.dll+dbc0d|C:\Windows\System32\RPCRT4.dll+b3dc|C:\Windows\System32\RPCRT4.dll+59dc4|C:\Windows\System32\RPCRT4.dll+58cdd|C:\Windows\System32\RPCRT4.dll+5958b|C:\Windows\System32\RPCRT4.dll+3942c|C:\Windows\System32\RPCRT4.dll+398ac|C:\Windows\System32\RPCRT4.dll+53e9c|C:\Windows\System32\RPCRT4.dll+556fb|C:\Windows\System32\RPCRT4.dll+481da|C:\Windows\SYSTEM32\ntdll.dll+286be|C:\Windows\SYSTEM32\ntdll.dll+2a029|C:\Windows\System32\KERN